Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Windows Books Media Operating Systems Software Unix Book Reviews

Samba 3 By Example 195

ALecs writes "When I first discovered Samba, I was in heaven! I could serve my Linux filesystems to my Windows 95 desktop and life was good. Between then and now, though, Samba has gotten a lot more capabilities, and I've been struggling to keep up with the cryptic voodoo that is Windows networking. While 'The Official Samba-3 HOWTO and Resource Guide' has been a great resource, Samba seems to just be once of those packages that you just need to see in action to understand. Hearing my cries, and those of countless others, John H. Terpstra has bestowed upon the Samba community the tome of ancient knowledge sought by all: Samba 3 By Example: Practical Exercises to Successful Deployment ." Read on for the rest of Malone's review.
Samba 3 By Example: Practical Exercises to Successful Deployment
author John H. Terpstra
pages 340
publisher Prentice Hall PTR
rating 10
reviewer Joshua Malone
ISBN 0131472216
summary Working examples to use Samba 3 in small or large office

Samba 3 By Example begins on a very friendly note by explaining how to get the most out of it any what you'll need to complete the exercises in the rest of the book. The beginning also includes a Windows networking primer, complete with packet captures (using the popular tool 'ethereal') showing how network browsing really works, under the hood.

This book follows the evolution of a fictitious company, "Abmas", through an impossible growth from a 9-person office to a 2000-person network with multiple sites around the world. You assume the role of the IT guy: charged with growing the company's network infrastructure, planning for change and, above all, keeping the users happy.

Some of the major challenges tackled in this book are:

  • Using Samba-3 as an NT-4 style PDC
  • Using Samba-3 as an domain member server
  • Using the various authentication backends as alternatives to the traditional 'smbpasswd' backend
  • Using LDAP to implement a Samba-3 PDC with backup domain controllers
  • Authentication using winbindd
  • Migrating from NT-4 to Samba-3 for a PDC
  • Using kerberos to integrate Samba-3 into a Microsoft Active Directory domain (as a domain member server)

I am extremely impressed by Terpstra's book. It addresses the complete spectrum of Samba deployments, from the 10-person office to the 2000-seat, multi-site enterprise while explaining not just what to do, but how to do it and, most importantly, why. The examples are practical and you can really imagine some poor sap^H^H^H^H^H^H^H^H unfortunate systems administrator finding him/herself in these very positions. This book says that these scenarios are hypothetical aggregations of real-world situations, but could swear I've worked for this company before.

One of the nicest things about this book is that each situation is followed by a Q&A section - almost like a textbook - that addresses both the important points of the exercise, as well as some of the trivial details that were left out for the sake of brevity. Don't be tempted to skip them thinking that it's just a rehash.

It's worth noting that this book is not a replacement for TOSHARG and defers to it for technical details in multiple cases. These two books should be sidearms for any IT administrator that has to deal with Windows clients on a daily basis.

I'm also very impressed with Terpstra's candor about Samba's features, weaknesses and road map. Nowhere in this book is Windows put down as inferior or is Samba touted as the "be-all, end-all" of Desktop and client management solutions. The relative flexibility of Active Directory and Samba is discussed only briefly and the choice to use Samba over Windows is ultimately left to the reader. Since you've gone to the trouble of purchasing this book, Terpstra assumes you've already made up your mind and require no further convincing.

Continuing to be mindful of office politics, Terpstra devotes a section in each chapter to the political implications of replacing Windows with an open source product, and an entire chapter to the issues inherent in bringing Samba into a traditionally Windows-based shop. Even though he refers to this chapter as a "shameless self-promotion of Samba-3", I found it to be an even-handed discussion of the issues you will most likely encounter from anti-Unix advocates and IT managers who have bought into the anti-Linux FUD. These are real issues that Systems Administrators need to know how to deal with effectively but too many of us simply dismiss because we feel they are uninformed.

In addition to examples of Samba configuration, examples are provided to integrate Samba with other useful servers such as the squid web proxy, OpenLDAP, bind and dhcpd. The configuration files for Samba as well as these additional pieces of software are also conveniently located on the included CD-ROM, along with Samba 3.0.2 packages for Red Hat Fedora Core 1 and SuSE Linux (Enterprise server 8 for x86 and s390 and SuSE Linux 9).

I think my biggest complaint with this book is that the "case study"-like format of this book tends to lump a large number of new features into a single example. This can make it hard to isolate the particular feature that you're interested in.

For instance, the example that illustrates automatic printer driver downloads to Windows clients is lumped into a chapter that is primarily concerned with using LDAP to implement a BDC. Automatic driver installation is a great feature that many sites far too small to consider implementing LDAP would likely be interested in.

In all, though, I'm extremely pleased with Samba 3 by Example - perhaps even more than TOSHARG. In it, you'll find plenty of tips, working examples and honest admissions of bugs (and their workarounds) that will keep you from losing your sanity. You could almost call this book a 300 page Samba and Windows networking consultant with over 8 years of experience. Terpstra has been incredibly kind to the Samba community by imparting so much wisdom to us all in this book.

Josh Malone has been a FreeBSD and Windows system administrator for three and a half years working in development shops and hosting companies, and currently works as a Linux engineer for an embedded systems company. You can purchase Samba 3 By Example from Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page

This discussion has been archived. No new comments can be posted.

Samba 3 By Example

Comments Filter:
  • by Deraj DeZine ( 726641 ) on Wednesday April 21, 2004 @02:05PM (#8931527)
    Cool, I've always wanted to learn how to samba [].
    • holy crap, after seeing those picture, me too!
    • by OzPeter ( 195038 ) on Wednesday April 21, 2004 @03:21PM (#8932357)
      As someone who has been invoved in latin dance in various forms (salsa, meringue, cha-cha, argentine tango, samba, rhumba, bolero etc) over the last few years I can attest to the fact that learning to dance is fun thing to do and that you can meet lots of cute and friendly people of the opposite sex. Which is how I met my current gf.

      Whats even better is that in order to dance these dances well, you NEED to hold your partner in a close embrace. And you can't complain about that.

      Another plus is that social latin dancing is done in places like public bars, but the atmosphere of the dance set is not 'meat market'. Thus it gives you a solid framework to get out in public that is not confrontationist. In my job where I do a bit of world travel, I always try and find the local dance places for some non work social life, and as a result have had some really fun times away from home.

      On a final note, Samba is a Brazilian dance, and I can attest that all the Brazilians I have met have been fun loving people, and that the country is a great one to go and visit :-)
  • samba rocks (Score:5, Insightful)

    by jacquesm ( 154384 ) <j&ww,com> on Wednesday April 21, 2004 @02:07PM (#8931555) Homepage
    Samba is probably one of the largest driving forces enabling people to migrate away from windows servers. It's a cornerstone of lots of offices that I have visited.
    • by FyRE666 ( 263011 ) * on Wednesday April 21, 2004 @03:07PM (#8932217) Homepage
      Well, it does until you start using a lot of Excel spreadsheets which link to other spreadsheets on a Samba share at least. Then you start to see serious locking problems.

      Believe me, I've been banging my head against this for a couple of weeks now (I can't reproduce the problem, but other people on the network can and do, daily). Everyone seems to have their own idea about the correct combination of oplocks, level 2 oplocks, veto oplocks, deadtime etc to use; but nothing seems 100% foolproof. This is the reason we're probably going to be switching away from Samba to Win2k3. I don't want this, but as the only Linux guy, it's hard to fight the tide when you're having to clear down the locks and force people to close and re-open files almost daily as they're lock out of their own files... ;-(
      • by Cheeze ( 12756 ) on Wednesday April 21, 2004 @03:21PM (#8932362) Homepage
        i'm not sure of your exact problems, but the same thing happens in the win2k environment. sometimes, the application will give the error that the file is open already, buy the user that is trying to open it. The application does not even try to open it read-only. I've had to log into the file server and boot the open file. In that case, the program was MS Excel from office 2k. At least with a linux file server, you should be able to open the file read only. Most of the time, the application can just open it with no locking.
      • We just turned oplocks off on windows or samba. We take a preformance hit but the crappy 3rd party program we use won't work with oplocks on.
      • by Mish ( 50810 ) on Wednesday April 21, 2004 @03:38PM (#8932515)
        The following settings resolved that issue for me:
        oplocks = no
        level 2 oplocks = true
        fake oplocks = yes
        Of course you'll want to RTFM on those commands first so you know what you're letting yourself in for. :)
        • by FyRE666 ( 263011 ) * on Wednesday April 21, 2004 @03:43PM (#8932564) Homepage
          fake oplocks = yes

          Erm, isn't that a completely insane thing to do (unless you're sharing a CD over Samba)?!!! The Windows clients will assume they have a lock on a file, and blindly write to it, even though other clients will assume the same! If you really are using this on a writable share and haven't clobbered a whole load of files, then you've been damned lucky!
          • by Mish ( 50810 ) on Wednesday April 21, 2004 @04:16PM (#8932920)
            Erm, isn't that a completely insane thing to do
            Yes and no.

            I don't know the specifics of your situation, so this very well may be an extremely bad idea for you, hence the "RTFM" comment. :)

            The system these configuration entries came from is a server that hosts numerous files which many people read, but only one or two people need to write to (and only one of those on a regular basis).

            The problem being that the annoying win32 program being used refuses to function unless it believes it has exclusive read and write access to the files, even though it never actually writes to the files (in most cases).

            It¦s not an elegant solution, but it solved the problem here with no ill effects since it was installed over a year ago, but yes, it has huge potential to cause file corruption on a system where the same files are concurrently modified by multiple users.
        • by wackysootroom ( 243310 ) on Wednesday April 21, 2004 @04:45PM (#8933267) Homepage
          A better way to do it would be to only veto oplocks on certain types of files with the veto oplock files option.

          We had problems with dbase file locking until we vetoed oplocks on those files.

          To do it, it looks like this:
          veto oplock files = /*.DBF/*.dbf/*.CDX/*.cdx/*.IDX/*.idx/*.fxp/*.FXP/* .prg/*.PRG/*.mmo/*.MMO/

          This way, you're not using oplocks on only the types of files that are giving you hell, while getting the best performance possible from all other file types.
      • Show this to your Win friends. Win2K3 is a mess. Since our NT PDC & Members our transfer rates have dropped, all sorts of bad lock situations with single file Excel docs (Office 97). - this comming from an NT guy.
  • by jmulvey ( 233344 ) on Wednesday April 21, 2004 @02:07PM (#8931563)
    So does Samba-3 support the "trade secret" PAC information that Microsoft inserted into their Kerberos tickets (to great consternation of the Kerberos community)?
    • by ALecs ( 118703 ) on Wednesday April 21, 2004 @02:18PM (#8931696) Homepage
      The most recent Samba-3 code now supports 'schannel' and "digital sign'n'seal" for joining an active directory domain. It cannot act as an ADS domain controller - only a member server
      • by ALecs ( 118703 ) on Wednesday April 21, 2004 @02:24PM (#8931762) Homepage
        I should also clarify that samba-3 can join as a Win2K member server and not just a legacy NT-4 server. The difference is in how you join the samba server to the domain.

        Use 'net ads join' to join as a Win2K member. If you use the older 'net rpc join' command, you're just doing NT-4 domain membership. Chapter 9 in the book covers Active Directory interoperation. The interoperability code is in Samba, not Kerberos.
    • by lkaos ( 187507 ) <> on Wednesday April 21, 2004 @02:23PM (#8931748) Homepage Journal
      Samba can decode the PAC. I don't believe it actually using the information yet.

      This is because before using the information, you have to verify the signatures (to ensure the data hasn't been forged). Making use of the information in the PAC is on the TODO list though as it will result in a nice performance increase in some areas.

      And the PAC certainly doesn't violate any of the kerberos standards. Placing implementation specific information in the authorization data is what it's there for.
      • by Anonymous Coward
        And the PAC certainly doesn't violate any of the kerberos standards. Placing implementation specific information in the authorization data is what it's there for.

        Very true, but I think the issue many people have is with Microsoft using this field and then not telling anyone how to interpret it (well, at first anyway).

        • According to Jeremy Allison, documentation for the PAC have been released by Microsoft, except the license to said documentation was too restrictive to be used by the Samba team.

          See -01-005-04-NW
          • Well, the first time, yes, the did license the documentation too restrictively. But they then rereleased it with no restrictions.

            Not that it really mattered. It's pretty easy to decode on its own.
  • by iwein ( 561027 ) on Wednesday April 21, 2004 @02:09PM (#8931605)
    after my first experience with samba (opposed to windows 2k server) i was highly enthousiastic but being one of the lesser linux geeks around i had some difficulty setting it up.

    overall my impression is that in total i suppose you would need less time to set up and maintain a nice samba server than a w2k server, even if it is your first time installing linux.

    with the help of this book it will become even simpler....

    • by Smallpond ( 221300 ) on Wednesday April 21, 2004 @02:15PM (#8931653) Homepage Journal
      I don't know what you're talking about. smb.conf is almost as easy as It has helpful comments like:

      ; 7: Look at the "hosts allow" option, unless you want everyone on the internet
      ; to be able to access your files.

      Well, I looked at it and they could still access my files.
      • I don't see what's wrong here:

        1) A: You look at the "hosts allow" option.
        2) B: You want everyone on the internet to be able to access your files.

        What the comment says is: A unless B. In other words, If B then not A. (If you want everyone on the internet to be able to access your files, then don't look at the "hosts allow" option.

        It would be wrong only if they said: B unless A.
        • I think the OP was making a snide comment on the fact that the docs just say to 'look at' the hosts allow option, but don't specifically say to change it one way or another.

          He physically "looked at" the option, as instructed, and it unsurprisingly had no effect on server operations.

          Personally, I love using samba as a PDC. With the addition of some decent web pages for LDAP user and group maintainance, it becomes a very slick, well-unified system. I haven't plunged into the world of printer sharing yet, b
    • by agrippa_cash ( 590103 ) on Wednesday April 21, 2004 @02:54PM (#8932062) Homepage
      I have been trying for MONTHS (on and off) to get SAMBA 3 working with LDAP. I got 2.2 working OK, so I'm not a complete idot. Still this book may be a good investment. For those who are interested the University of Navarra has a 3.0 HOWto and there is a 2.2 Howto (that I used sucessfully) at
    • Seriously, Samba isn't easy to set up. I don't consider myself a lesser geek anymore, since I can set up virtually anything else I've tried without trouble (yes, that includes, but I've more or less given up on Samba.

      Of course, the Samba developers shouldn't be blamed for that. I suppose that learning the black arts of Windows networking is about as logical as Windows itself, after all.

  • by Vlion ( 653369 )
    I'll have to read it sometime- I could really use samba.
  • by blkwolf ( 18520 ) on Wednesday April 21, 2004 @02:16PM (#8931675) Homepage []
  • by proxima ( 165692 ) on Wednesday April 21, 2004 @02:16PM (#8931678)
    Obviously teaching things by example is not new, but far too many computer books on too many subjects (especially programming) don't use enough examples to illustrate their points. Some just use poor examples.

    Samba is one of those setups where the total amount of functionality is far more than many users need, so a collection of well-designed examples will greatly speed one's implementation (and reduce common security problems). Fortunately the default config file has improved in Samba to the point where it's not too difficult to setup basic printer/filesystem sharing.

    These "cookbook" style books obviously can't replace a reference, but they often are more useful as a starting point. I've spent over five years on unix systems now, but I still groan at the lack of examples in the man pages of more obscure command line software. Google often comes through, provided I can think of a good phrase that describes what I'm trying to do ("search and replace with perl command line" - perl -pi -e 's/searchterm/replaceterm/g' [filenames], btw).

  • Great! (Score:1, Interesting)

    by Anonymous Coward
    This is great. I just started migrating from windowsXP to Fedora Core 1 and have been trying to setup a Samba server for a week. I'm using the O'Reilly manual, but there are significant gaps in the setup descriptions. I remember thinking "I wish there was a case by case explanation of setups for this damn program" Well, I guess I'll be buying this today!
  • little known fact (Score:3, Insightful)

    by mirko ( 198274 ) on Wednesday April 21, 2004 @02:18PM (#8931694) Journal
    Samba 3 is used by Panther (OSX3) since the beginning.
    • Re:little known fact (Score:4, Informative)

      by amunter ( 313014 ) on Wednesday April 21, 2004 @02:28PM (#8931803)
      Yes, and at the recent FOSE expo in DC the Apple guy that was standing under the sign in the Apple booth that said "LDAP and Kerberos" showed me how easy it was to use.

      It uses all the normal Apple GUI type controls which basically take care of all of the configuration changes to smb.conf and krb5.conf. Basically a slick "apple looking" configuration file editor. I thought SWAT made samba configuration pretty easy, but this Apple stuff is great. Really cool stuff.
  • Samba Cryptic? (Score:5, Interesting)

    by timeOday ( 582209 ) on Wednesday April 21, 2004 @02:26PM (#8931781)
    I have found Samba very workable and not too hard to set up. At first I only thought of Samba as a hack to interoperate with Windows and assumed NFS was better. But over a few years I've had a number of troubles with NFS, from timeouts to UID translation to large file support (on Linux - I'm sure NFS is better on Solaris!) Finally I realized that Samba is not just a scab, it works fine and is easy to set up. Now I use it even to network Linux boxes. Sure Samba's guts might be messy but it doesn't seem to hurt anything.
    • Re:Samba Cryptic? (Score:2, Interesting)

      by Anonymous Coward
      We recently switched to Samba from NT and it sped up significantly. The regular Samba fork is pretty easy to set up for file serving but my experience with setting it up as a domain controller for Win2000/XP was like sitting down on a cactus and bouncing up and down. Yes, I applied the registry hacks, and yes, I had the server set up properly, but I could not get Win2000 or XP (Professional) to login to the domain. Ended up going with Samba-TNG, which out of the box worked with 2000/XP Pro. Sure hope they i
    • to large file support

      This is NFS version 2. Both Linux and solaris support NFS v3 but if you roll your own kernels don't forget to enable version 3.
  • by Nighttime ( 231023 ) on Wednesday April 21, 2004 @02:30PM (#8931830) Homepage Journal
    This book is currently available through The Register's bookshop [] with 30% off to UK readers.
  • by Dimensio ( 311070 ) <darkstar.iglou@com> on Wednesday April 21, 2004 @02:32PM (#8931844)
    ...went back to 2.2.8a because for some reason it wasn't handling symbolic links properly. The drive containing the network share was running out of space, so I set up additional space on another drive and made a symlink to the location (yes, I used all lowercase letters in the symlink). Trying to access the directory with the 3.0.2a server resulted in a "Not a directory" error. It works properly in 2.2.8a, though.
  • by gfhilton ( 471959 ) on Wednesday April 21, 2004 @02:33PM (#8931856)
    I've been struggling to keep up with the cryptic voodoo that is Windows networking.

    The cryptic voodoo I struggle to keep up with is Samba and Linux itself. Setting up networking, even advanced domain stuff, in Windows is very easy in comparison. Hence books like this one.

    I don't mean to troll, but one of Linux's biggest problems from a usability point of view is that there is no central place where configuration information is stored (aka the "hated" registry in Windows). It's supposed to end up in /etc but many times it doesn't and instead it's all scattered around in hundreds of tiny text files with various different formats that one must search out and edit. This is one of the (many) things that make it very difficult to set up or configure anything in Linux, be it hardware or software.

    I think we would all be better off if the Linux community would work on fixing usability problems and making Linux more unified instead of continually adding new features. And if that sounds like many criticisms of Microsoft you've heard, then so be it.
    • there is no central place where configuration information is stored

      Funny, I think one of Linux's biggest advantages is that there is a central place where configuration information is stored. It's, as you mentioned, /etc. To find information about your configuration is normally as simple as "find /etc -exec grep -si some_text /dev/null {} \;". OK, the syntax of the find command is anything but easy, but, once you learn it, it'll become far easier than poring through regedit.exe

    • by cbiltcliffe ( 186293 ) on Wednesday April 21, 2004 @03:11PM (#8932259) Homepage Journal
      It's supposed to end up in /etc but many times it doesn't and instead it's all scattered around in hundreds of tiny text files with various different formats that one must search out and edit.

      You mean like the 229 .ini files that are on my Windows 2000 machine, in various places in 'Program Files', 'WINNT', 'WINNT\System32', etc.etc?

      Seriously...I don't know what Linux distro you're using......I've heard this comment before, and out of the few dozen I've tried, nothing ever stored configuration information in more than two places:

      1) /etc and, for some programs with lots of config files, subdirectories of /etc dedicated to the one program.
      2) hidden directories in the user's home directory, for personal configuration files, rather than system-wide.

      Anything that's in the user's home directory is set by the interface of whatever program they're running, though, so you hardly need to 'search out and edit' files that are in 'various different formats'.

      If you're going to spread FUD, at least spread something that's true.
      Oh...wait.....that would mean it wouldn't be FUD, wouldn't it?
    • Why would you care where the data is stored? Have you ever actually set up a network card, or joined a domain, or set up a scsi device by manually editing the registry? I highly doubt it.

      The location of the data is not what is all-important. Making the tools that modify that data better is.

  • I never thought I'd see relative flexibility and Active Directory used in the same sentence.
  • I am definitely going to pick up a copy of Samba 3 by Example.

    Does anyone know where I can get a copy of the TOSHARG that was mentioned as the technical resource?
  • Samba vs. NFS (Score:3, Interesting)

    by hey ( 83763 ) on Wednesday April 21, 2004 @02:57PM (#8932106) Journal
    Just wondering... if you have a all Linux office does anyone choose Samba over NFS?
    • I sure wouldn't doubt it if they did. With NFS it seems all you have to do is fake your uid/gid on the client and then you have access to all those files on the NFS server with that same gid/uid. Doesn't seem very secure to me since somebody could easily put up a rogue box on your network.

      Is there something I'm missing here?
      • Re:Samba vs. NFS (Score:5, Informative)

        by Dolda2000 ( 759023 ) <fredrik@dol d a 2 0 0 0 . c om> on Wednesday April 21, 2004 @04:26PM (#8933015) Homepage
        Unfortunately, that's the case right now. NFS is supposed to be used in secure environments.

        However, that's going to change. There is already support for RPC security when using NFSv4 in Linux 2.6. That way, you can use Kerberos authentication and encryption for your NFS exports, and all is well. It's still marked as experimental, but I suspect it to be mature before long.

        All that already works on Solaris, of course.

        • However, that's going to change. There is already support for RPC security when using NFSv4 in Linux 2.6.

          Unfortunately NFS sucks [1]. If I go to someone's house can I mount an NFS export as easily as I can an SMB share? No, because the UID/GIDs don't match up. SMB keys on usernames.

          [1] In truth SMB sucks too because of the many layers of protocol.
    • Re:Samba vs. NFS (Score:3, Informative)

      by slide-rule ( 153968 )
      You implied work/office, but on my home LAN of 3 machines (two dual' into '98), I gave up on NFS and went fully-samba. I might not have had NFS *properly* config'ed through and through, but my home network is fairly simple. Still, I'd have occasional problems with NFS/automount hanging up somewhere causing machines to *not* be able to shutdown properly. (It'd hang the shutdown scripts.) Since I went all-samba (even for the all-Linux aspect of the network) this just doesn't happen to me anymore, so samba/aut
  • by phallstrom ( 69697 ) on Wednesday April 21, 2004 @02:57PM (#8932114) l
  • I've been struggling to get my samba PDC (and by extension every windows box on my network) and linux to authenticate against a single source, an LDAP server.

    Of course, this means learning not only what LDAP is , but how to configure and test it, etc.. OpenLDAP wasnt the toughest nut to crack, but it's configuration files are out there in wackyland. This is as far as I've gotten.

    Then getting samba and other services to auth against it. Of course, to use I need to have linux boxes that use P
    • Mind trying out sloppyadm [] which sets this up (currently a bunch of redhat w/ap t & gentoo specific things, but what mostly needs to be done is a bit of modification to get slack, etc to work) I do need to update it some, but it works great for a lab that has cups+samba+ldap w/windows and linux clients, it even has provisions to install common config files (all distros) and distro-specific config files. Of course, it doesn't have a gui (yet, I am working on it!) (but frankly it's the best one I have com
  • Agree with reviewer (Score:3, Informative)

    by Etyenne ( 4915 ) on Wednesday April 21, 2004 @04:55PM (#8933383)
    My boss brought back a copy of S3bE from Real World Linux Expo in Toronto (with a dedicace to my name ... w00t!), and I must say I agree with reviewer. So far, I have only read chapters 10 and 11 (but thumbed through the rest), and they alone are worth the price of the book.

"In matrimony, to hesitate is sometimes to be saved." -- Butler