403
Chapter 17 ✦ Mail Servers — Postfix, Qpopper, and Cyrus
Dial-up server configuration
This scenario is unlikely to be used these days as most mail clients hold off from sending mail
when you are offline, but the configuration is still relevant to other situations.
When you do not have a constant connection to the Internet, it is a good idea to stop Postfix
from attempting to send mail when it is not connected to the Internet. To do this, you need to
defer the sending for a later date by telling Postfix that it should defer sending mail via SMTP
using the
defer_transports parameter.
defer_transports = smtp
When the machine is connected to the Internet, you then need to tell Postfix to send the mail
it has queued. The
sendmail command can be used to queue up mails, as follows:
sendmail –q
When the command has completed, use the mailq command to query whether your mails
have been sent. The
mailq command also tells you if there are any mails stuck in the queue
for any reason. Common problems will be that Postfix cannot communicate with another mail
server because of connectivity problems or the local mail cannot be delivered because a user
is over quota.
To stop your machine from unnecessarily trying to look up host names when processing mail
in the queue, you need to turn off address lookups via DNS, so you need to change the default
disable_dns_lookups parameter as follows:
disable_dns_lookups = yes
Usually if you are on a dial-up, you will pass on all of your mail to another, dedicated mail
server for further handling, in which case you need to configure a relay host using the
relayhost parameter:
relayhost = mail.palmcoder.net
Now, any mail that is not local to your mail server will be sent via SMTP to the machine
mail.palmcoder.net.
The relayhost parameter is used in larger sites where the use of department mail servers
propagates mail through an organization with a central mail hub.
Stopping spam
Spam, or UCE (unsolicited commercial email), is the bane of any Internet user’s life, and an
administrator is more than aware of how much mail is worthless junk. To combat this, you
can use Postfix’s UCE controls to limit the amount of spam that travels through your systems.
We have already touched upon the restriction of relaying through your mail server, which is
part of the problem of spam. Another way to stop spam is by making sure connections to the
mail server are true to the RFC SMTP standard. With this comes the increased risk of false
positives. False positives happen when Postfix sees that a non-standard connection is taking
place and rejects the mail. This could happen when the sending mail server does not prop-
erly conform to the RFC, not because it is malicious, but because it is based on the legacy
that mail servers are understanding when it comes to slight errors in the way an SMTP trans-
action takes place.
Note
26_577395 ch17.qxd 12/15/04 12:39 AM Page 403
404
Part IV ✦ Implementing Network Services in SUSE Linux
To be more stringent with what data a connecting machine sends to Postfix, you can restrict
their access and the format that data is in with the
smtpd_sender_restrictions parameter.
Consider the following example:
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_non_fqdn_sender, permit
This rejects any mail from a user whose domain does not exist in the Internet domain system.
This will stop spammers from trying to use a fictitious domain component in their MAIL
FROM: clause. The
reject_non_fqdn_sender rejects any mail where the format of the MAIL
FROM: does not include a fully qualified domain name (of the form
domain.tld).
A TLD, or top-level domain, encapsulates the .com, .org, .net, .co.uk, and so on
domains and is the defined and controlled domain format for the Internet. An Internet fully
qualified domain name (FQDN) is always composed of a domain and a TLD. For example,
palmcoder.net is an FQDN.
Restricting client connections to a mail server is always tricky because you do not want to
produce false positives as it will drastically impact what mail you receive. To help with this,
RBL (Real-time Black Hole) servers are in place that list known spammers’ addresses in real
time to allow you to rely on rejecting mail connections. This is an extremely useful idea that
takes away a large proportion of your spam catching and gives it to a trusted, free service.
To enable RBL server lookups, you need to use the
reject_rbl_client parameter in the
smtpd_client_restrictions.
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client
relays.ordb.org, reject_unknown_client
This allows connections from mynetworks, rejects mail from spam artists listed in the ordb
database, and also rejects mail from unknown clients (clients that do not have an entry in the
Internet DNS).
This just scratches the surface of what can be done with Postfix but gives you enough to get
started configuring your own mail server. The Postfix documentation is some of the best out
there and can be found at the Postfix site at
www.postfix.org.
Qpopper
When your MTA is configured, you need to be able to access your mail using a mail client by
connecting to an MDA. You have three ways of remotely accessing your mail:
✦ By logging into the server and accessing the mail spool directly
✦ Via Internet Message Access Protocol (IMAP)
✦ Via Post Office Protocol (POP3)
We will talk about POP3 and IMAP in this section of the chapter, starting with POP3.
POP3 enables you to receive your mail from a server and store it on your local disk. When the
mail has been received from the server, it is then deleted from the server. POP3 is a good mail
storage option for laptop users as your mail is always local to your machine.
Note
26_577395 ch17.qxd 12/15/04 12:39 AM Page 404
405
Chapter 17 ✦ Mail Servers — Postfix, Qpopper, and Cyrus
IMAP takes a different approach by always storing your mail messages on the server. This
gives you the added benefit of being able to access all of your mail (including subfolders)
wherever you are. If you use POP3, you are able to see all of your mail that you have down-
loaded only if you have your laptop or desktop machine that you use to download your POP3
mail with you.
One of the best POP3 servers is Qpopper. In addition to being the standard for POP3 retrieval,
it is actively maintained and also supports extended authentication methods from the stan-
dard cleartext username and passwords.
When you have installed Qpopper, you need to enable POP3 access in
/etc/inetd.conf.
Open
/etc/inetd.conf and uncomment the popper line relating to POP3 (see Listing 17-3).
Listing 17-3: Enabling Qpopper in inetd
# Pop et al
#
# pop2 stream tcp nowait root /usr/sbin/tcpd ipop2d
# pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d
# pop3s stream tcp nowait root /usr/sbin/tcpd ipop3d
pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popper
-s
#
The network process inetd accepts connections from standard ports and passes control
over to a specific application. Whereas Postfix listens on port 25 in daemon mode, Qpopper
relies on inetd to provide its listening services.
Once enabled, start inetd to enable POP3 access to your mail.
bible:~ # rcinetd start
Starting inetd done
Once started, you can test connectivity with Telnet as we discuss in more detail in Chapter
15. Listing 17-4 shows an example.
Listing 17-4: Testing the POP3 Server with Telnet
bible:~ # telnet localhost 110
Trying 127.0.0.1
Connected to localhost.
Escape character is ‘^]’.
+OK ready <2282.1088970620@bible>
user justin
+OK Password required for justin.
pass password
+OK justin has 1 visible message (0 hidden) in 544 octets.
Note
26_577395 ch17.qxd 12/15/04 12:39 AM Page 405
406
Part IV ✦ Implementing Network Services in SUSE Linux
As you can see, the user justin has one unread mail that is 544 octets in length.
You can pass other parameters to Qpopper to extend its functionality. For example, if you
want to allow your users to enter their usernames in uppercase or mixed case format, you
can add
-c to the Qpopper command line in inetd.conf to enable this. Another common
parameter is
-R to disable reverse name lookups (so that the host name and not the IP
address is stored in the system log).
If you want to store your Qpopper options in a configuration file instead of specifying them
on the command line through
inetd.conf, you need to call Qpopper with the -f parameter
(to set the configuration file):
# Pop et al
#
# pop2 stream tcp nowait root /usr/sbin/tcpd ipop2d
# pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d
# pop3s stream tcp nowait root /usr/sbin/tcpd ipop3d
pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popper
–f /etc/qpopper.conf
#
If you want to set the parameters discussed previously in the qpopper.conf configuration,
you have to use a full text representation of the parameters:
set statistics
set downcase-user
set reverse-lookup=false
Qpopper has many options that you can enable on the command line in /etc/inetd.conf or
by specifying a configuration file on the command line containing parameters.
For more information on what you can do with Qpopper, take a look at the
popper(8) man
page.
Fetchmail
In certain situations, you may need to “pull” your email from a POP or IMAP server to your
local mail server. The
fetchmail program was designed to contact an MDA and fetch the
mail and then pass it through your local SMTP server for delivery.
For
fetchmail to successfully run, you need to know the address of your MDA server, the
username, password, and the protocol to use (POP3/IMAP).
The
fetchmail program then connects to the MUA and transports the messages to your
SMTP server for further processing. When you run
fetchmail with the required options, it
delivers mail to the user you are running the command as.
justin@bible:~> fetchmail mail.bible.suse.com -p pop3
Enter password for :
1 message for justin at mail.bible.suse.com (720 octets).
reading message :1 of 1 (720 octets) flushed
In the example, the user is currently logged in as justin, so the mail will be delivered via
SMTP to the user
justin@localhost.
26_577395 ch17.qxd 12/15/04 12:39 AM Page 406
407
Chapter 17 ✦ Mail Servers — Postfix, Qpopper, and Cyrus
In the fetchmail run in the previous example, we told fetchmail the server
(
mail.bible.suse.com) and the protocol (-p pop3). The fetchmail program is clever
enough to know that we also need a password, so it asks us for it. When a message has been
“flushed,” it is delivered through SMTP.
If you are using a dial-up Postfix configuration, you can use
fetchmail to automatically
download your POP mail through SMTP to your mail server. Some Internet service providers
(ISPs) routinely poll a static IP address that you have been assigned and automatically have
your mail delivered through SMTP, but these services usually cost more money and are few
and far between.
Cyrus IMAPD
POP3 is a good mail delivery agent for most situations, but if you like your mail controlled
from a central server, with access to all your mail and folders from a remote site regardless of
whether your mail is stored locally, then IMAP is the answer.
IMAP is a connection-based protocol. What that means is that you need a connection to the
server to read your mail. Some MUAs allow you to “offline” your mail locally for reading while
not connected, but at the end of the day, the server holds the up-to-date representation of
your mail.
There are two main contenders in the Unix IMAP server space, University of Washington and
Cyrus IMAPD. Both IMAP servers are extremely good at what they do, and we have chosen
Cyrus as our focus because it is the IMAP server of choice by SUSE (it is the IMAP server
used in OpenExchange).
The Cyrus IMAP server is extremely scalable and is capable of handling thousands of mail
accounts. If more scalability is needed, you can use a Murder of Cyrus (a cluster of Cyrus
servers) to provide a distributed IMAP server farm.
To use Cyrus, you need to add a system user (in our case, we will use
justin) to the Cyrus
database. All authentication is still handled through the user’s system password, but the Cyrus
database needs to provide a namespace for the user, including folders and access control lists.
Configuring the Cyrus user
When Cyrus has been installed through YaST, a few administrative tasks need to take place
before you can log in as a user. First, we need to talk about how Cyrus works and interacts with
the system. The Cyrus IMAP process is controlled by the user
cyrus. With most daemon pro-
cesses, the user that “owns” the process is usually a placeholder to run the daemon and nothing
else. In the case of Cyrus, the
cyrus system user plays an important part by not only running the
IMAPD process, but also being the user that IMAP administration is conducted under.
With this in mind, you need to set a password for the
cyrus user. To do this, as root, run the
passwd command for the cyrus user:
bible:~ # passwd cyrus
Changing password for cyrus.
New password:
Re-enter new password:
Password changed
Once set, you need to start the cyrus and saslauthd services.
26_577395 ch17.qxd 12/15/04 12:39 AM Page 407
408
Part IV ✦ Implementing Network Services in SUSE Linux
The saslauthd service is the Cyrus SASL authentication daemon. SASL is a general-purpose
authentication mechanism that can be used both in a client and server environment. Cyrus
IMAP relies on the SASL library to provide authentication services.
Adding users to Cyrus
When those services are started, you need to add users to the Cyrus database to provide
mail services for them. We will take the user
justin (who must exist in the system) as an
example. To add a user to the Cyrus system, become the
cyrus user and connect to the
Cyrus IMAP server with the
cyradm command (Cyrus administration tool):
bible:~ # su - cyrus
cyrus@bible:~> cyradm localhost
IMAP Password:
localhost>
Once connected, you can use the cm (create mailbox) command to create the user justin’s
inbox:
localhost> cm user.justin
localhost> lm
user.justin (\HasNoChildren)
localhost>
Here you have told Cyrus to create the mailbox user.justin. This may seem odd, but it is a
standard way to configure Cyrus for user mailboxes. Cyrus works on a hierarchical mailbox
structure, not only for the users, but also for system mailboxes. These system mailboxes
could be mailboxes that are shared between many users for bulletins, for example.
Creating a shared mailbox
If you want to create a mailbox that is shared between certain users, use the cm command to
create the mailbox and also set the access control list (ACL) for users on the mailbox.
For example, if you have three users,
justin, roger, and aimee, on the system, and you want
them to be able to store and view messages in this folder, but not to be able to delete any,
you can look up the access control codes in Table 17-1 and set the ACL on that folder using
the
sam command (set ACL on folder).
If you ever need to find out what Cyrus commands you can use, type help in the Cyrus
command shell.
Table 17-1: Cyrus ACL Settings
ACL Code Description
L List the folder —that is, be able to view the folder in a folder list
r Read contents of folder
s Set the seen flag on a message in the folder
w Write to the folder —that is, store a message in the folder
Note
Note
26_577395 ch17.qxd 12/15/04 12:39 AM Page 408
409
Chapter 17 ✦ Mail Servers — Postfix, Qpopper, and Cyrus
ACL Code Description
i Insert or append a message to the folder
p Send a mail to the folder
c Create (subfolder) or delete the folder
d Delete a message in the folder
a Administrative rights on the folder, set ACLs
To set an ACL on the folder, you need three pieces of information: the user you wish to set the
ACL for, the mailbox, and the ACL settings themselves. Consider the example in Listing 17-5.
Listing 17-5: Setting ACLs on a Shared Mailbox
localhost> sam share aimee lrwsip
localhost> sam share roger lrwsip
localhost> sam share justin lrwsip
localhost> lam share
roger lrswip
justin lrswip
anyone lrs
aimee lrswip
Here, we have allowed the users justin, roger, and aimee to list the folder, read the con-
tents of the folder, set the
seen flag on a message, store a message in the folder, and also
send a message directly to the folder. We have not allowed them to delete any messages in
the folder, so all is as we originally wanted.
Once set, the ACLs come into effect immediately. Copying mails to the shared folder will
work, but deleting them will not. This allows you as the administrator to set up a non-volatile,
non-destructive mail store for a group of users with fine-grained access controls.
Integrating Cyrus and Postfix
So now that you know how Cyrus works, you need to set up Postfix to use Cyrus to store the
user’s mail.
In
/etc/postfix/main.cf, we need to set the mailbox_transport to use the service
cyrus. The service cyrus is preconfigured in /etc/postfix/master.cf. This file contains
definitions for SMTP services as well as any user-defined services that can be used in param-
eters such as
mailbox_transport. So you edit /etc/postfix/main.cf and change the
mailbox_transport as follows:
mailbox_transport = cyrus
When /etc/postfix/main.cf is edited, restart Postfix with rcpostfix.
To make sure Postfix or any other service (such as inetd, or cyrus in this chapter) starts
when you boot the system, use chkconfig -a servicename.
Tip
26_577395 ch17.qxd 12/15/04 12:39 AM Page 409
410
Part IV ✦ Implementing Network Services in SUSE Linux
Any mail sent to users will now be delivered to their mailbox using the cyrus service. The
cyrus service calls the Cyrus deliver command to take the mail message and deliver it to
the defined user’s IMAP mailbox for his or her retrieval instead of the local mail spool.
Setting an alias for root’s mail in Cyrus
One thing that you need to consider when using Cyrus in this type of environment is that any
mail to a user that is not in the Cyrus database will be rejected by Cyrus. This is especially
true for the root user. It is not a good idea to store the root user mail in Cyrus, so most people
configure an alias for root’s mail to be delivered to a non-administrative user. Here we config-
ure root’s mail to be delivered to the user
justin:
1. Open the file
/etc/aliases and add and entry for the root user:
root: justin
This tells Postfix that any mail for root should actually be delivered to the user
justin.
2. When
/etc/aliases is edited, run the postalias command:
bible:~ # postalias /etc/aliases
3. You then need to reload Postfix’s databases to commit the new alias.
Choosing a Mail Client
When your mail server is configured, you need to be able to read your email. You will find
many mail clients available, the most popular being
mutt, pine, kmail, and evolution. We
briefly describe the benefits of all of the systems and where they are most commonly used.
The command-line clients
If you have only command-line access to your mail, you will probably want to use mail or
mutt.
mail
The mail command is the most basic mail client of all and is used to send mail and receive it
using the command line. If you want to send mail with the
mail command, just enter mail
and the person you wish to send mail to.
bible:~ # mail
Subject: Hello there
This is a test
.
EOT
Here, we have been asked for the subject of the mail, and we are then ready to type our mail
message. Notice that at no point during this transaction are we given guidance on what to do.
This is stereotypical Unix commands at their best!
26_577395 ch17.qxd 12/15/04 12:39 AM Page 410
411
Chapter 17 ✦ Mail Servers — Postfix, Qpopper, and Cyrus
When the message has been entered, you then need to enter a period on a line by itself and
then press Enter/Return. This will then send the mail to the recipient specified.
To read mail with the
mail command, just enter mail at the command line and press
Enter/Return.
You are then presented with a list of mails in your mailbox that you can read. To read a mes-
sage, just enter the number of the mail you wish to read:
bible:~ # mail
mailx version nail 10.6 11/15/03. Type ? for help.
“/var/mail/justin”: 1 message 1 new
>N 1 Thu Sep 30 11:30 14/452 “Hello there”
&
Pressing 1 and Return will then show you the mail message you just sent.
mail is installed by default on most Unix systems and can be used as a last resort to read
your mail. It is also good because you can use the
mail command to send mail through a
shell script if you have a list of email addresses you need to send something to (but not for
spam).
mutt
mutt is a more feature-filled command-line mail client that can display your mail in a format-
ted list and also employs mail message threading. It is a lot more interactive than
mail, but
can be used on the command line as your daily mail client. If you wish to use
mutt, install it
through the YaST package manager.
The graphical mail clients
For Linux users, the choice of mail client usually boils down to the desktop product they use.
KDE comes with the
kmail client, whereas Gnome comes with the Evolution mail client. Both
are quite different beasts.
kmail
kmail is a very nice, well-rounded mail client that can connect to POP, IMAP, and also local
mail spools to read your mail. You can set up mail rules to send mail to specific folders based
on certain parameters and can also connect to mail servers over SSL.
Evolution
Evolution is more of an “Outlook for Linux” application in that it incorporates not only mail,
but calendaring, address book, and tasks under the same roof. Whereas with
kmail you use
separate applications for this functionality, Evolution has them built in.
Recently, Ximian open sourced their Connector product, which also allows you to connect
your Ximian Evolution client to a Microsoft Exchange 2000/2003 server and access your cal-
endars and so on.
Note
26_577395 ch17.qxd 12/15/04 12:39 AM Page 411
412
Part IV ✦ Implementing Network Services in SUSE Linux
Mail Systems on Linux
Mail on Linux is a funny thing; there are many ways to provide mail services on any Unix in
general, from using sendmail or Postfix as an MTA to Qpopper or Cyrus as an MDA, all the
way to choosing from among numerous MUAs for reading your mail. At the end of the day, it
is up to you how you want to configure mail on your system. We’ve given you enough infor-
mation to proceed, and you will quickly find the variety of choices available will allow you to
implement a solution that fits your situation.
✦✦✦
26_577395 ch17.qxd 12/15/04 12:39 AM Page 412
Setting Up Windows
Interoperability
with Samba
R
egardless of how you feel about Microsoft Windows, it’s impossi-
ble to ignore that most businesses use it for their day-to-day
activities. The prevalence of Windows makes it important for Linux
systems to be able to access Windows resources such as Windows
file servers and printers. Similarly, the power of Linux as a corporate
computing resource makes it important for Windows systems to be
able to access file servers and printers that may run on Linux sys-
tems. Interoperability with other types of computer systems and
network communication mechanisms is an important aspect of the
power and flexibility of Linux and is one of the keys to its being
adopted in both the home and enterprise computing environments.
Interoperability between Windows and Linux network resources is
provided by a set of client/server applications that are part of a set of
applications known as the Samba software suite. Linux systems that
need to be able to access Windows resources (and therefore need to
be able to act as a client of those Windows resources) do so by run-
ning a Samba client application. Linux systems that need to export
resources to Windows users do so by running a Samba server that
makes those resources available over the network in a form that
Windows systems can access.
This chapter explains how to configure both Samba clients and
servers, explains various authentication models for Samba servers,
and discusses some graphical and command-line utilities that make it
easier to explore and interact with Windows resources from your
SUSE Linux system. The last section highlights the Samba-related
packages that are available in your SUSE distribution and explains
how to locate and install any that you might not have initially
installed on your system.
A Bit of Background
The SUSE Linux kernel features built-in connectivity with networked
Windows resources by supporting the Windows Server Message
Block (SMB) protocol that underlies most native Windows network-
ing mechanisms. The SMB protocol is now considered a part of
Microsoft’s more general Common Internet File Services (CIFS), but
its name lives on in the Samba software suite.
18
18
CHAPTER
✦✦✦✦
In This Chapter
Setting up a Samba
client
Setting up a Samba
server
Using Winbind
Samba command-line
utilities
✦✦✦✦
27_577395 ch18.qxd 12/15/04 12:21 AM Page 413
414
Part IV ✦ Implementing Network Services in SUSE Linux
Acronyms reign supreme in the network world, most of which are related to the history of
various standards and protocols. This is especially true for the long list of network protocols
used by DOS and Windows systems. When Microsoft decided that network support was a
good thing, it began entering the market by introducing the NetBIOS (Network Basic
Input/Output System) standard in 1984 to define and control the characteristics of network
communication from a DOS or Windows system. To implement this transport standard,
Microsoft provided the NetBEUI (NetBIOS Extended User Interface) protocol. NetBEUI worked
fine on the small corporate networks of the day but was missing basic features, such as rout-
ing, that were required as networks became larger and connection between distinct but con-
nected networks became increasingly necessary. From 1985 through 1988, Microsoft worked
with IBM and Intel to introduce and popularize SMB, which is a NetBIOS implementation that
today runs over TCP/IP networks. If you’re still collecting acronyms, SMB is the most common
example of what is generically known as NBT (NetBIOS over TCP/IP, also known as NetBT).
As discussed in Chapter 6, TCP/IP has always been the networking protocol associated with
Unix and Linux systems. Samba was originally developed by Andrew Tridgell (“tridge”),
who initially began development of what would later become Samba on DEC and Sun work-
stations in 1991. He began work on porting Samba (then just known as NetBIOS for Unix or
smbserver) in 1992. In 1994, J.R. Conlin and Dave Fenwick started an SMB-related newsgroup,
comp.protocols.smb, as a forum for discussing Samba development; smbserver was
renamed Samba in 1994 because of conflicts with the name of an existing product, and the
rest is history.
Today, Samba is used on Linux, FreeBSD, NetBSD, Solaris, AIX, HP-UX, and any Unix and Unix-
like system that you can think of. Similarly, most of the NAS (Network Attached Storage) sys-
tems that you can purchase today support NFS (the Network File System, discussed in
Chapter 21) thanks to Sun’s early release of the NFS specification and Windows networking
courtesy of Samba.
The version of Samba provided with SUSE 9.1 is Version 3.0.4. Version 3 introduces several
significant enhancements over previous versions of Samba, including the following:
✦ Support for Microsoft’s Active Directory. This also provides support for Samba servers
as member servers in Active Directory domains.
✦ Improved Unicode and internationalization support.
✦ Improved support for the updated printing system used by Windows 200X and
Windows XP.
For detailed information on Samba 3.0 and migration issues for older Samba servers, see the
Samba HOWTO collection. This set of documents is installed on your SUSE system as part of
the
samba-doc package, as described in “Samba-related packages in SUSE 9.1” later in this
chapter. When you have installed the
samba-doc package, the Samba HOWTO collection is
available in the file
/usr/share/doc/packages/samba/Samba-HOWTO-Collection.pdf. You
can also find the Samba HOWTO collection online at sites such as
www.comp.hkbu.edu.hk/
docs/s/samba30/htmldocs/howto/.
Setting Up and Using a Samba Client
Most desktop SUSE users who work in an environment where Windows systems are also used
will want to configure and start a Samba client on their machines. Starting a Samba client on
your system enables you to access Windows resources such as printers and file servers on
27_577395 ch18.qxd 12/15/04 12:21 AM Page 414
415
Chapter 18 ✦ Setting Up Windows Interoperability with Samba
your local network. A Samba client does not enable your system to export filesystems and
printers to your local network —to do that, you will need to configure and start a Samba
server on your system, as explained in “Setting Up a Samba Server,” later in this chapter.
If you have problems locating any of the YaST configuration options or applications described
in this section, see the section entitled “Samba Client and Server Packages” later in this chap-
ter for information about locating and installing any packages that may not have been
installed during the installation process.
Configuring a Samba client
Like most administrative tasks on a SUSE Linux system, configuring and starting a Samba
client is most easily done through YaST. If you are running the X Window system KDE desktop
(SUSE’s default graphical environment), you can execute by selecting YaST from the Control
Center menu, which is available by clicking the SUSE icon at the bottom-left corner of your
KDE desktop. If you start YaST as the root user, the YaST dialog displays immediately, as
shown in Figure 18-1.
Figure 18-1: YaST main screen
If you start YaST as any other user, the KDE su dialog shown in Figure 18-2 displays. Enter
your system’s root password, and the system will start YaST for you as the root user.
Note
Note
27_577395 ch18.qxd 12/15/04 12:21 AM Page 415
416
Part IV ✦ Implementing Network Services in SUSE Linux
Figure 18-2: KDE su dialog
To configure and start a Samba client, follow these steps:
1. Click the Network Services icon in the left pane of the YaST Control Center and scroll
down the right pane until you see the Samba Client icon, as shown in Figure 18-3.
Figure 18-3: Samba Client icon in YaST
2. Click the Samba Client icon to display the Samba Client configuration pane, as shown in
Figure 18-4.
27_577395 ch18.qxd 12/15/04 12:21 AM Page 416
417
Chapter 18 ✦ Setting Up Windows Interoperability with Samba
Figure 18-4: Samba Client configuration pane in YaST
This screen enables you to set the name of an existing Windows domain or workgroup.
Under Windows, the core difference between a domain and workgroup is where the
administrative and authentication information is stored. Workgroups typically store
authentication and connection information on each PC, while domains are adminis-
tered from a central authentication and user database known as a domain controller.
Domain controllers will be discussed in more detail later in this chapter in the sidebar
“To PDC or Not to PDC.”
3. When this screen displays, the default name TUX-NET appears in the Windows Domain
or Workgroup text box.
• If you know the name of the domain or workgroup that you want to join, position
the cursor in this text box, type the domain or workgroup name, and click the
Finish button.
• If you do not know the exact name of the domain or workgroup that you want to
join, click the Browse button to display a dialog that shows the list of Windows
domains and workgroups that can be detected on the network to which your sys-
tem is attached.
27_577395 ch18.qxd 12/15/04 12:21 AM Page 417
418
Part IV ✦ Implementing Network Services in SUSE Linux
If you are configuring your system to be a member of a Windows domain, the Samba Client
configuration panel also provides the option of using the existing Windows authentication
information provided by that domain when you log into your Linux system. Selecting this
option simplifies local system administration by using a single, central authentication mech-
anism, but may make it difficult for you to log in when your system is not connected to the
network. Using a Windows domain as your primary authentication mechanism is done by
adding an SMB Pluggable Authentication Module (PAM) to the authentication process on
your system, as defined by the file /etc/pam.conf.
That’s all there is to it —your system is now configured as a client of the selected domain or
workgroup! Your credentials and rights to access the resources available in the selected
domain or workgroup will be checked when you attempt to access those resources, as
described in the next few sections.
Browsing available Windows resources
SUSE Linux provides a number of different ways to browse Windows networks to identify and
access available resources. The most common of these is to use the Konqueror browser,
shown in Figure 18-5. SMB support in Konqueror is constantly being improved, so make sure
that you have installed the latest version of the
kdebase3 package using YaST’s Online
Update control (discussed in Chapter 9) if you encounter problems.
Figure 18-5: Browsing SMB resources in Konqueror
To browse resources on your local network using Konqueror, click the My Computer icon on
your desktop, and select the Network icon from the column of icons at the left. Click the
Local Network entry in the left pane, and select the Windows Network icon from the right
Tip
27_577395 ch18.qxd 12/15/04 12:21 AM Page 418
419
Chapter 18 ✦ Setting Up Windows Interoperability with Samba
pane to display icons for any available domains and workgroups in the right pane. You can
then drill down into any available domain or workgroup by clicking on the icons that are sub-
sequently displayed.
If you are using the KDE desktop, you can create a permanent shortcut to the Local Network
icon on your SUSE desktop by dragging the Local Network icon from Konqueror to your
desktop and selecting Copy Here from the menu that displays. You can do the same thing by
right-clicking Konqueror’s Local Network icon, selecting the Copy To menu item, navigating
your Home Folder’s Desktop folder, and selecting the Copy Here menu command.
A fast alternative to using Konqueror to browse available Windows resources is to use a
command-line utility called
smbtree. This utility is installed as part of the samba-client
package, and provides a fast listing of available SMB resources when executed from within
konsole, xterm, or any other Linux terminal emulation utility. Figure 18-6 shows the output
from running
smbtree on a sample home network featuring two Samba servers that are both
members of the WVH workgroup.
Figure 18-6: Browsing SMB resources using smbtree
Another useful package for browsing SMB resources is LinNeighborhood, an open source pro-
ject whose home page is located at
www.bnro.de/~schmidjo/index.html. Figure 18-7
shows LinNeighborhood displaying the same set of resources shown in Figures 18-5 and 18-6.
A package containing LinNeighborhood is included as a separately installable package on
DVD 1 or CD 5 of a SUSE 9.1 Professional distribution set. You can see information about the
contents of this package at
www.suse.de/en/private/products/suse_linux/prof/
packages_professional/linneighborhood.html.
Tip
27_577395 ch18.qxd 12/15/04 12:21 AM Page 419
420
Part IV ✦ Implementing Network Services in SUSE Linux
Figure 18-7: Browsing SMB resources using
LinNeighborhood
Mounting a shared Windows drive
There are many different ways to mount a shared Windows drive on your SUSE system, the
easiest of which is to use the standard Linux
mount command. For example, to mount an SMB
share named
wvh that is available on an SMB server named home, mount that share on the
directory
/mnt/smb, and access those files as the Windows user wvh, you would execute a
command such as the following as the root user:
# mount -t smbfs -o username=wvh //home/wvh /mnt/smb
The above command line can be broken down as follows:
✦
-t smbfs —Identifies the type of filesystem that you are mounting as an smbfs filesys-
tem (SMB filesystem).
✦
-o username=wvh —Passes the username=wvh option to the mount command, which
identifies your Windows user login as
wvh.
✦
//home/wvh —The name of the Windows directory that you want to mount on your
SUSE system. In this example, this is a directory named
wvh on a Windows file server
named
home.
✦
/mnt/smb —The directory on your SUSE system where you want to mount the speci-
fied Windows directory.
27_577395 ch18.qxd 12/15/04 12:21 AM Page 420
421
Chapter 18 ✦ Setting Up Windows Interoperability with Samba
The directory on which you want to mount the SMB share must already exist. The mount
command actually executes a command called smbmount, which is usually a symbolic link to
the command
/sbin/mount.smbfs. After executing this command, you will be prompted for
the Windows password associated with the specified user.
You can also execute a command as a user other than the root user by using the sudo com-
mand, which lets users execute commands as privileged users (sudo means “do with a sub-
stitute user ID”). The privileged commands and the users who can perform them are listed in
the file /etc/sudoers. If you have a valid entry in the /etc/sudoers file, you will be
prompted for your password and then again for the Windows password associated with the
specified user. If you do not have a valid entry in the /etc/sudoers file, there isn’t much
point in using the sudo command, but if you do you will be prompted for the root password
and then again for the Windows password associated with the specified user. You can enable
users to execute privileged commands by executing the visudo command as the root user,
which enables you to edit the /etc/sudoers file using the vi text editor. For more infor-
mation about the sudo command, execute the man sudo command in a console window or
xterm. For more information about the /etc/sudoers file, execute the command man
sudoers.
Just like any other partitions or network drives, you can automatically mount SMB shares
when your system boots by adding them to your system’s /etc/fstab file. To do this, cre-
ate a standard /etc/fstab entry such as the following:
//SUSE/wvh /mnt/smb/wvh smbfs
username=wvh,password=foo,uid=578,gid=500 0 0
The first field defines the name of the SMB share that you want to mount, the second field is
the directory on your system where you want to mount the drive, and the third field is the
type of filesystem that you are mounting. The fourth field provides options that you want to
use when mounting the SMB share, and the fifth and sixth fields define when you want to
back up the filesystem and when you want to check the consistency of the filesystem at boot
time. These values are almost always 0 (zero) for networked filesystems, which means never.
For SMB shares, the mount parameters that you have to pass in the mount options field
include the username that you want to authenticate to the Samba server as, your password,
and the user and group IDs that you want to associate with the mounted filesystem so that
only you can read and write files in the Samba share. Because you have to enter your pass-
word, you should also make sure that the /etc/fstab file is not publicly readable by exe-
cuting a command such as chmod 600 /etc/fstab, or else anyone in the know can view
the file and find out your Windows password—probably not a good idea.
Using a Windows printer from Linux
To access a networked Windows printer from your Linux system using Samba, you must have
created a printer definition entry for that printer using YaST. You can then print to it as you
would to any other local or networked printer.
To create a printer definition for a Windows printer after installing and configuring the Samba
client software, follow these steps:
Tip
Tip
27_577395 ch18.qxd 12/15/04 12:21 AM Page 421
422
Part IV ✦ Implementing Network Services in SUSE Linux
1. Start YaST as explained earlier in this chapter in the section “Configuring a Samba
Client.” Click the Hardware icon in the left pane, and select the printer icon from the
right pane. The screen shown in Figure 18-8 displays.
Figure 18-8: The initial printer configuration dialog in YaST
27_577395 ch18.qxd 12/15/04 12:21 AM Page 422
423
Chapter 18 ✦ Setting Up Windows Interoperability with Samba
2. When the dialog shown Figure 18-8 displays, click the Configure button to begin creat-
ing a new printer definition. The dialog shown in Figure 18-9 displays.
Figure 18-9: Specifying the printer type in YaST
27_577395 ch18.qxd 12/15/04 12:21 AM Page 423
424
Part IV ✦ Implementing Network Services in SUSE Linux
3. Select the Print via SMB Network Server option and click the Next button. The dialog
shown in Figure 18-10 displays.
Figure 18-10: Defining a Samba or Windows printer in YaST
4. Enter the name of the workgroup or domain in which the printer is located, the name of
the host that controls printing to that printer, and the name of the print queue associ-
ated with that printer on the specified host. These must not contain spaces. You must
also enter the Windows login name of a user that is authorized to print to that printer,
and that user’s password. After entering these values, click the Test Remote SMB
Access button to make sure that all of the values that you have specified are correct. If
they are, a pop-up message displays that tells you that your system can connect to the
specified printer. If the values are not correct, an error dialog displays, and you should
recheck the values that you have entered. If you need assistance identifying the correct
values, contact the system administrator of your Windows network.
When you have entered valid values and verified them, click the Next button to pro-
ceed. The dialog shown in Figure 18-11 displays.
27_577395 ch18.qxd 12/15/04 12:21 AM Page 424
425
Chapter 18 ✦ Setting Up Windows Interoperability with Samba
Figure 18-11: Setting queue values for an SMB printer in YaST
5. Enter the name that you want to associate with the specified SMB printer. This will be
the queue or printer name that you specify to commands such as lpr in order to print
to this printer over the network. You can also enter description and location informa-
tion for the printer, although these values are optional.
6. Next, deselect the Do Local Filtering radio button. Because the printer is already config-
ured on the remote SMB server, you do not need to do any local preprocessing in order
to print to it.
At this point, you can click the Test printing button to send a test printout to the
remote printer. A dialog displays that gives you a choice of sending a text or graphical
printout to the remote printer. If the remote printer can print graphics, you should
send a graphical test sheet to it in order to make sure that it is correctly configured.
The graphical test sheet also contains text, so it will test both capabilities.
If you print a test sheet at this point, make sure that you pick it up. It will contain the user-
name and password that you used to access the remote printer —not something you want to
leave lying around!
7. When the test sheet prints successfully, click the Next button to display the next screen
and click Finish to complete and save your new printer definition.
Tip
27_577395 ch18.qxd 12/15/04 12:21 AM Page 425
426
Part IV ✦ Implementing Network Services in SUSE Linux
Setting Up a Samba Server
Like most administrative tasks on a SUSE Linux system, configuring and starting a Samba
server is most easily done through YaST. You can start YaST in the same way as discussed
earlier in the chapter in the section “Configuring a Samba client.” To configure and start a
Samba server, follow these steps:
1. Click the Network Services icon in the left pane of the YaST Control Center and scroll
down the right pane until you see the Samba Server icon, as shown in Figure 18-12.
Figure 18-12: Samba Server icon in YaST
27_577395 ch18.qxd 12/15/04 12:21 AM Page 426
427
Chapter 18 ✦ Setting Up Windows Interoperability with Samba
2. Click the Samba Server icon to display the Samba Server configuration pane, as shown
in Figure 18-13.
Figure 18-13: Samba Server configuration screen in YaST
If you have problems locating any of the configuration options or applications described in
this section, see the section “Samba Client and Server Packages” later in this chapter for
information about locating and installing any packages that might not have been installed
during the installation process.
Note
27_577395 ch18.qxd 12/15/04 12:21 AM Page 427