You are on page 1of 59

FiIe Servers

Session Objectives:
At the end of this Session, you will be able to understand
Samba Server
NFS (Network File system) Server
FT (File Transfer rotocol) Server
Summary ! "eferences
Chapter- 10
Samba Server
10.0 Introduction________________________________________
Samba is a suite of #ro$rams that enables %NI&'like o#eratin$ systems, includin$ (inu),
Solaris, Free*S+, and ,ac -S &, to work with other o#eratin$ systems, such as -S./
and 0indows, as both a server and a client1
As a server, Samba shares (inu) files and #rinters with 0indows systems1 As a client,
Samba $ives (inu) users access to files on 0indows systems1 Its ability to share files
across o#eratin$ systems makes Samba an ideal tool in a hetero$eneous com#utin$
This cha#ter starts by #rovidin$ a list of Samba tools followed by some basic
information1 The section followin$ that covers how to use swat, a 0eb'based advanced
confi$uration tool, to set u# a Samba server1 The final server section discusses how to
set u# a Samba server by usin$ a te)t editor to manually edit the files that control
10.0.1 Samba UtiIities & Daemons:
net This utility has the same synta) as the +-S net command and, over time, will
eventually re#lace other Samba utilities such as smb#asswd1
nmbd The Net*I-S nameserver #ro$ram, run as a daemon by default1 rovides
Net*I-S over I namin$ services for Samba clients1 Also #rovides browsin$ su##ort (as
in the 0indows Network Nei$hborhood or ,y Network laces view)1
nmbIookup 2ueries the Net*I-S name1
pdbedit ,aintains Samba user database1
smbcIient +is#lays shares on a Samba server such as a 0indows machine3 uses ft#like
smbd The Samba #ro$ram, run as a daemon by default1 rovides file and #rint services
for Samba clients1
smbpasswd 4han$es 0indows NT #assword hashes on Samba and 0indows NT
smbstatus +is#lays information about current smbd connections1
smbtar *acks u# and restores data from Samba servers3 similar to tar1
smbtree +is#lays a hierarchical dia$ram of available shares1
swat Samba Web Administration TooI1 A browser'based editor for the smb1conf file1
testparm 4hecks synta) of the smb1conf file1
10.0.2 Common Samba Terms
The Samba server normally uses %+ #orts 137 and 138 and T4 #orts 139 and
4451 If the Samba server system is runnin$ a firewall, you need to o#en these #orts1
%sin$ iptabIes o#en these #orts by settin$ a #olicy that allows service for Samba1
%nder Samba, an e)#orted directory hierarchy is called a share.
The Samba term ma##in$ a share is e5uivalent to the (inu) term mountin$ a directory
The name Samba is derived from SMB, the #rotocol that is the native method of file and
#rinter sharin$ for 0indows1
6ou must set u# a root #assword to use swat to chan$e the Samba confi$uration1
10.0.3 Samba Users, User Maps, and Passwords
For a 0indows user to access Samba services on a (inu) system, the user must
#rovide a 0indows username and a Samba #assword1 In some cases, 0indows
su##lies the username and #assword for you1 It is also #ossible to authenticate usin$
other methods1 For e)am#le, Samba can use LDAP or A, instead of the default
#assword file1 "efer to the Samba documentation for more information on authentication
The username su##lied by 0indows must be the same as a (inu) username or must
ma# to a (inu) username1
User maps
6ou can create a file, ty#ically named .etc.samba.smbusers, to ma# 0indows
usernames to (inu) usernames1
*y default, Samba uses (inu) #asswords to authenticate users1 7owever, linu)
sets #assdb backend to tdbsam, causin$ Samba to use trivial database #asswords1
4han$e this #arameter to smb#asswd in smb1conf to cause
Samba to use (inu) #asswords1
10.1 Setting up a Samba Server
This section describes how to install and confi$ure a Samba server usin$ both the
shares'admin utility and the swat browser'based confi$uration tool1
10.1.1 Prerequisites
Install the followin$ #acka$es8
smbfs (the onIy package needed to mount a Windows share)
system-config-samba (optionaI)
swat (optionaI, but usefuI)
openbsd-inetd (needed to run swat; instaIIed as a swat dependency)
samba-doc (optionaI documentation; instaIIed with swat)
samba-doc-pdf (optionaI; documentation in PDF format)
Smbd Init Script
0hen you install the samba #acka$e, the dpkg postinst scri#t confi$ures Samba to run
as a normal daemon (not from inetd), co#ies all (inu) users to the list of Samba users,
sets u# Samba to use encry#ted #asswords, and starts the smbd and nmbd daemons1
After you confi$ure samba, $ive the followin$ command to restart the smbd and nmbd
9 sudo service smbd restart
smbd start.runnin$, #rocess :;;/
10.2 Configuring Samba Server using system-config-samba
-ne of the most asked features for Samba is a $ra#hical user interface to hel# with
confi$uration and mana$ement3 there are now several <%I interfaces to Samba
available, one of these tools is samba server confi$uration tool1
=The Samba Server Configuration TooI is a $ra#hical interface for mana$in$ Samba
shares, users, and basic server settin$s1 It modifies the confi$uration files in the
/etc/samba/ directory1 Any chan$es to these files not made usin$ the a##lication are
First thin$ we need to do is to install samba, $o to Software center in %buntu and search
for samba then install the #acka$e1 If you want to install it via terminal then co#y this
command 8
# apt-get instaII samba samba-common
InstaIIing Samba Server configuration TooI:
Now install the $ra#hical interface System'confi$ samba
# apt-get instaII system-config-samba
Now we will try for e)am#le to share the directory .home.shared1
First o#en <%I samba server confi$uration tool by $oin$ to AppIications-->
Administration-->Samba or at the terminal ty#e8 # system-config-samba
6ou will $et a dialo$ue bo) similar to this3

Now over here we have to add the folder we want to share and setu# the #ermissions
First create a folder and #rovide the #ermissions to the folder1 Now share it usin$ the
Sharing Options available from ri$ht click menu on the folder1
Now 4lick on the + tab to add a new share1 0hen you will click on this tab you will $et a
screen as this3

The window consists of Basic and Access Tab1 Now on the basic tab click on the
browse button and select the directory to share1 Then #rovide it with a share name and
descri#tion1 "emember to click on the writeable and visible button to $rant the access1

Now it comes to the security of the file server1 There are basically two modes in SA,*A
File Server3 Anonymous and Authenticated1
First let us discuss the anonymous mode for accessin$ the file server1

Now when you $o on access tab and Select the AIIow access to everyone tab, then
your file server becomes anonymous and will entertain all the connections1
Now let us consider usin$ a secured file server which $ives a #rom#t for a username
and #assword, suin$ the authenticated mode1

Now for securin$ the server we select OnIy aIIow access to specific users tab1
Now under this tab there are the system users listed, select the user you want to $rant
the acces to, in this case I have selected seduIity1 4lick -k tab to #roceed1
Now the ne)t ste# is to #rovide the user a #assword for authentication1 First click on the
Preferences > Samba Users. Select the suer you want to authenticate1 At this sta$e
you will $et a tab similar to this3

Now click on the Edit User icon to #roceed1

rovide the username and password you want to $ive for authentication1
Now we are done let us try to access the share8
Anonymous mode:

Authenticated Mode:
In this when you try to o#en the share you will make use of 3

7ere all the folders shared will be listed1 7owever, when you will try to o#en the share
you will $et a username and #assword #rom#t1

Now when your authentication will match with the samba username and #assword you
will $et the share1

The swat (Samba 0eb Administration Tool, swat #acka$e) utility is a browser'based
$ra#hical editor for the /etc/samba/smb.conf file1 For each of the confi$urable
#arameters, it #rovides 7el# links, default values, and a te)t bo) to chan$e the value1
The swat utility is a well'desi$ned tool in that it remains true to the lines in the smb.conf
file you edit8 6ou can use and learn from swat, so that, if you want to use a te)t editor to
modify smb.conf, the transition will be strai$htforward1 The swat utility is run from inetd
(openbsd-inetd #acka$e)1 0hen you install the swat #acka$e, it installs openbsd-
inetd as a de#endency and #laces the followin$ line in /etc/inetd.conf8
swat stream tcp nowait.400 root /usr/sbin/tcpd /usr/sbin/swat

This line enables swat when xinetd is runnin$1 If necessary, $ive the followin$ command
to restart inetd so that it rereads its confi$uration file8
# /etc/init.d/xinetd restart

Now when you will try to $et an interface for S0AT, $o to the browser and in the
address bar ty#e3
http://IocaIhost:901, you will be #resented with a screen same as below1

From the local system, o#en a browser and enter either or
http://IocaIhost:901 in the location bar1 0hen #rom#ted, enter the username root and
the root #assword If you #rovide a username other than root, you will be able to view
some confi$uration information but will not be able to make chan$es1 From a remote
system, re#lace with the I address of the server (but see the ad>acent
security ti#)1 If a firewall is runnin$ on the local system and you want to access swat from
a remote system, o#en T4 #ort ?@A usin$ i#tables1
The browser dis#lays the local Samba.swat home #a$e1 This #a$e includes links to local
Samba documentation and the buttons listed below1
HOME - (inks to local Samba documentation1 0hen you click the word Samba
(not the lo$o, but the one >ust before the word Documentation in the
Samba.swat home#a$e), swat dis#lays the Samba man #a$e, which defines
each Samba #ro$ram1
GLOBALS - Bdits $lobal #arameters (variables) in smb.conf1
This #rovides you with o#tions for settin$ the main <lobal variables1 If you want to
set additional variables, you can click Advanced Ciew to access o#tions for settin$
nearly every #ossible Samba variable1 (etDs take a look at a few of the variables you
will need to set in the main section1

The work$rou# variable needs to be set to match the desired 0indows 0ork$rou# or
+omain and should be in all ca#s1 The Net*I-S variable is >ust that, the (inu)
machineDs Net*I-S name on the 0indows network1 It should also be in all ca#s1
This is the name that will show u# in the Network Nei$hborhood of 0indows
If you are runnin$ 0indows ?E or above, 0indows NT :1@ with SF or above, or
0indows /@@@, you need to make sure to have the variable use encrypted
passwords=yes1 %ntil you learn more advanced confi$uration, you can safely leave
everythin$ else in the <lobal variables at the default settin$s1
SHARES - Bdits share information in smb.conf1
7ere, we make available files, drives, etc1, to our 0indows 0ork$rou# or +omain or to
individuals1 The default share created is the =homes= share, and if you select that share
and click 4hoose Share, you can then edit as needed1 This is often used to set u#
Samba shares for individual user accounts since user directories are #laced in .home by
default1 7owever, you can use the Shares section to share any directory on your (inu)
machine with the 0indows network1 6ou could also create a new folder such as
.home.fileserver and share that1
Three buttons and two te)t bo)es a##ear near the bottom of the #a$e1 In the te)t bo)
ad>acent to the Create Share button, enter the name you want to assi$n to the share
you are settin$ u#1 6ou will use this share name from 0indows when you ma# (mount)
the share1 4lick Create Share1
To modify an e)istin$ share, dis#lay the name of the share in the dro#'down list labeled
Choose Share, and click Choose Share1 Bither of these actions e)#ands the Share
arameters #a$e so it dis#lays information about the selected share1
Set path to the absolute #athname on the (inu) server of the share and, if you like, set
comment to a strin$ that will hel# you remember where the share is located11 ,ake sure
read onIy, guest ok, and browseabIe are set as you desire1 Set avaiIabIe to YES or
you will not have access to the share1 4lick Commit Changes when you are done with
the S7A"BS #a$e1 If you want to see how many #arameters there really are, click
advanced near the to# of the #a$e1 Switchin$ between the *asic and Advanced views
removes any chan$es you have not committed1
From a 0indows machine, you should now be able to access the share you >ust created1
To access the share $o to the RUN #rom#t and ty#e8 \\ipaddress of the server1

After this you will $et the shared folder for access1 6ou may create and delete files as if
workin$ on a re$ular system1

PRINTERS - Bdits #rinter information in smb.conf1
Now weDll take a look at the rinters tab1 *efore you set u# a #rinter share, make sure
that you have already confi$ured your #rinter on your (inu) bo)1 -nce you have your
#rinter workin$ and ready to be shared, you should see a dro#'down list under the
#rinterDs section with an entry like l# or l#@1 This should be the active #rinter1 4hoose this
and click the 4hoose rinter button to brin$ u# the o#tions for this share1 ,ake sure the
#rinter is accessible to those whom you intend to use it1
WIZARD - "ewrites the smb.conf file, removin$ all comment lines and lines that
s#ecify default values1

STATUS Shows the active connections, active shares, and o#en files1 Sto#s and
restarts the smbd and nmbd daemons1

6ou can even see the current statistics of the systems which connect your server in the
information re#resented below1

VIEW +is#lays a subset (click FuII View) or all of the confi$uration #arameters as
determined by the default values and settin$s in smb.conf (click NormaI View)1
PASSWORD The assword tab, takes you to the smbpasswd utility, which is used to
add Samba users and to set u# or chan$e Samba #asswords1 6ou can also disable or
enable accounts as needed1 To add a user, the user must already have a local (inu)
user account1 The easiest way to add a new (inu) user account is to $o to the command
line and use the useradd command1 0hen you ty#e useradd username and #ress
GBnterH, it will #rom#t for a #assword and ask you to confirm it1 -nce you finish addin$
the user locally, $o back to the #assword section in S0AT, enter the username and
#assword, and select Add1 After you add the user, make sure to click the Bnable button
to enable the user1
"emember you have to chan$e the directive for access in the Shares section for
s#ecific share3 here we have chan$ed for the file shared1
4han$e guest ok to no and in front of vaIid users ty#e the user you want to #rovide
access to1
After this move to the Password tab, and #rovide the user credentials for samba1 Bnter
the details and #ress EnabIe User tab to add the user, after #ressin$ the tab you will $et
a confirmation messa$e1
Now when you will try to access the share, you will be #rom#ted for the authentication1
In the username and #assword bo) #rovide the credentials of the authenticated user and
you will be able to access the share1

10.3.1 swat HeIp and defauIts
Bach of the #arameters swat dis#lays has a button labeled HeIp ne)t to it1 4lick HeIp to
o#en a new browser window containin$ an e)#lanation of that #arameter1 Bach
#arameter also has a Set DefauIt button that sets the #arameter to its default value1
For this e)am#le, do not click any of the Set DefauIt buttons1 ,ake sure to click
Commit Changes at the to# of each #a$e after you finish makin$ chan$es on a #a$e
10.4 ManuaIIy configuring a Samba: smb.conf
The /etc/samba/smb.conf file controls most as#ects of how Samba works and is
divided into sections1 Bach section be$ins with a line that holds some te)t between
brackets ([...])1 The te)t within the brackets identifies the section1 Ty#ical sections are
[gIobaIs] +efines $lobal #arameters
[printers] +efines #rinters
[homes] +efines shares in the homes directory
[share name] +efines a share (you can have more than one of these sections)
As (inu) sets the $lobal #arameters in smb.conf, you need sim#ly add a share for a
0indows system to be able to access a directory on the (inu) server1 Add the followin$
sim#le share to the end of the smb.conf file to enable a user on a 0indows system to
be able to read from and write to the local /tmp directory8
comment I tem#orary directory
#ath I .tm#
writable I 6BS
$uest ok I 6BS
The name of the share under 0indows is tmp3 the #ath under (inu) is /tmp1 Any
0indows user who can lo$ in on Samba, includin$ guest, can read from and write
to this directory, assumin$ the userDs (inu) #ermissions allow it1 To allow a user to
lo$ in on Samba, you must run smb#asswd1 *ecause browseabIe defaults
to 6BS, unless you s#ecify browseabIe = NO, the share a##ears as a share on the
server without e)#licitly bein$ declared browseabIe1 The (inu) #ermissions that a##ly to
a 0indows user usin$ Samba are the same #ermissions that a##ly to the (inu) user that
the 0indows user ma#s to1
10.4.1 Parameters in smb.conf fiIe
The smb.conf man #a$e and the 7el# feature of swat list all the #arameters you can set
in smb.conf1 The followin$ sections identify some of the #arameters you are likely to
want to chan$e1
GIobaI Parameters
interfaces - A SA4B'se#arated list of networks Samba uses1 S#ecify as interface
names (such as eth0) or as I mask #airs1
DefauIt: aII active interfaces except
server string - The strin$ that the 0indows machine dis#lays in various #laces1 0ithin
the strin$, Samba re#laces %v with the Samba version number and %h with the
DefauIt: Samba %v
Ubuntu: %h server (Samba, Ubuntu)
Workgroup - The work$rou# the server belon$s to1 Set to the same work$rou# as the
0indows clients that use the server1 This #arameter controls the domain name that
Samba uses when security is set to +-,AIN1
Security Parameters
encrypt passwords - 6BS acce#ts only encry#ted #asswords from clients1 0indows ?E
and 0indows NT :1@ Service ack F and later use encry#ted #asswords by default1 This
#arameter uses smb#asswd to authenticate #asswords unless you set security to
SB"CB" or +-,AIN, in which case Samba authenticates usin$ another server1
DefauIt: YES
guest account - The username that is assi$ned to users lo$$in$ in as guest or ma##ed
to guest3 a##licable only when guest ok is set to 6BS1 This username should be
#resent in /etc/passwd but should not be able to lo$ in on the system1 Ty#ically guest
account is assi$ned a value of nobody because the user nobody can access only files
that any user can access1 If you are usin$ the nobody account for other #ur#oses on
the (inu) system set this #arameter to a name other than nobody1
+efault8 nobody
hosts aIIow - Analo$ous to the /etc/hosts.aIIow file s#ecifies hosts that are allowed to
connect to the server1 -verrides hosts s#ecified in hosts deny1 A $ood strate$y is to
s#ecify A(( in hosts deny and to s#ecify the hosts you want to $rant access to in
this file1 S#ecify hosts in the same manner as in hosts.aIIow1
DefauIt: none (aII hosts permitted access)
hosts deny - Analo$ous to the /etc/hosts.deny file s#ecifies hosts that are not allowed
to connect to the server1 -verridden by hosts s#ecified in hosts aIIow1 If you s#ecify
A(( in this file, remember to include the local system (A/J1@1@1A) in hosts
aIIow1 S#ecify hosts in the same manner as in hosts.deny1
DefauIt: none (no hosts excIuded)
invaIid users - (ists users who are not allowed to lo$ in usin$ Samba1
DefauIt: none (aII users are permitted to Iog in)
Ubuntu: none (aII users are permitted to Iog in)
map to guest - +efines when a failed lo$in is ma##ed to the guest account1 %seful
only when security is not set to S7A"B1
Never ' Allows guest to lo$ in only when the user e)#licitly #rovides guest as the
username and a blank #assword1
Bad User - Treats any attem#t to lo$ in as a user who does not e)ist as a guest lo$in1
This #arameter is a security risk because it allows a malicious user to retrieve a list of
users on the system 5uickly1
Bad Password ' Silently lo$s in as guest any user who incorrectly enters her
#assword1This #arameter may confuse a user when #assword is misty#ed and is
unknowin$ly lo$$ed in as guest because she will suddenly see fewer shares than it is
used to1
DefauIt: Never
Ubuntu: Bad User
passdb backend - S#ecifies how Samba stores #asswords1 Set to lda#sam for (+A,
smb#asswd for Samba, or tdbsam for T+* (trivial database) #assword stora$e1
DefauIt: smbpasswd
Ubuntu: tdbsam
passwd chat - The chat scri#t Samba uses to converse with the #asswd #ro$ram1 If this
scri#t is not followed, Samba does not chan$e the #assword1 %sed only when unix
password sync is set to 6BS1
DefauIt: *new*password* %n\n*new*password* %n\n *changed*
Ubuntu: *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfuIIy*.
passwd program - The #ro$ram Samba uses to set Linux #asswords1 Samba re#laces
%u with the userDs username1
DefauIt: none
Ubuntu: /usr/bin/passwd %u
security - S#ecifies if and how clients transfer user and #assword information to the
server14hoose one of the followin$8
USER8 4auses Samba to re5uire a username and #assword from 0indows users
when lo$$in$ in on the Samba server1 0ith this settin$ you can use
K username map to ma# Samba usernames to (inu) usernames
K encrypt passwords to encry#t #asswords (recommended)
K guest account to ma# users to the guest account
SHARE8 4auses Samba not to authenticate clients on a #er'user basis1 Instead,
Samba uses the 0indows ?x setu#, in which each share can have an individual
#assword for either read or full access1 This o#tion is not com#atible with more recent
versions of 0indows1
SERVER8 4auses Samba to use another S,* server to validate usernames and
#asswords1 If the remote validation fails, the local Samba server tries to validate
usernames and #asswords as thou$h security were set to %SB"1
DOMAIN8 Samba #asses an encry#ted #assword to a 0indows NT domain controller for
validation1 The workgroup #arameter must be #ro#erly set in smb.conf for +-,AIN to
ADS8 Instructs Samba to use an Active +irectory server for authentication, allowin$ a
Samba server to #artici#ate as a native Active +irectory member1 (Active +irectory is the
centraliLed information system that 0indows /@@@ and later use1 It re#laces 0indows
+omains, which was used by 0indows NT and earlier1)
DefauIt: USER
unix password sync - 6BS causes Samba to chan$e a userDs (inu) #assword when
the associated user chan$es the encry#ted Samba #assword1
DefauIt: NO
Ubuntu: YES
update encrypted - 6BS allows users to mi$rate from clearte)t #asswords to encry#ted
#asswords without lo$$in$ in on the server and usin$ smb#asswd1 To mi$rate users, set
to 6BS1 set encrypt passwords to N-1 As each user lo$s in on the server with a
clearte)t (inu) #assword, smb#asswd encry#ts and stores the #assword1 Set to N- and
set encry#t #asswords to 6BS after all users have been converted1
DefauIt: NO
Logging Parameters
Iog fiIe - The name of the Samba lo$ file1 Samba re#laces %m with the name of the
client system, allowin$ you to $enerate a se#arate lo$ file for each client1
DefauIt: none
Ubuntu: /var/Iog/samba/Iog.%m
Iog IeveI - Sets the lo$ level, with @ (Lero) bein$ off and hi$her numbers bein$ more
DefauIt: 0 (off)
max Iog size - An inte$er s#ecifyin$ the ma)imum siLe of the lo$ file in kilobytes1 A 0
(Lero) s#ecifies no limit1 0hen a file reaches this siLe, Samba a##ends .oId to the
filename and starts a new lo$, deletin$ any old lo$ file1
DefauIt: 5000
Ubuntu: 1000
Share Parameters
Bach of the followin$ #arameters can a##ear many times in smb.conf, once in each
share definition1
AvaiIabIe - 6BS s#ecifies the share as active1 Set this #arameter to N- to disable the
share but continue lo$$in$ re5uests for it1
DefauIt: YES
browseabIe - +etermines whether the share can be browsed, for e)am#le, in 0indows
,y Network laces1
DefauIt: YES
Ubuntu: YES, except for printers
comment - A descri#tion of the share, shown when browsin$ the network from
DefauIt: none
Ubuntu: varies
guest ok - Allows a user who lo$s in as guest to access this share1
DefauIt: NO
Path - The #ath of the directory bein$ shared1
DefauIt: none
Ubuntu: various
read onIy - +oes not allow write access1 %se writabIe to allow read'write access1
DefauIt: YES
10.5 Working with Shares
10.5.1 Linux from WIndows
This section describes how to access (inu) directories from a 0indows machine1
Browsing Shares
To access a share on a Samba server from 0indows, o#en ,y 4om#uter or
B)#lorer on the 0indows system and, in the te)t bo) labeled Address, enter \\
followed by the Net*I-S name (or >ust the hostname if you have not assi$ned a
different Net*I-S name) of the Samba server1 0indows then dis#lays the
directories the (inu) system is sharin$1 To view the shares on the (inu) system
named dog, for
e)am#le, enter \\dog1 From this window, you can view and, if #ermitted, browse
the shares available on the (inu) system1 If you set a share so it is not
you need to enter the #ath of the share usin$ the format \\servername\sharename
to dis#lay the share1
Mapping a Share
Another way to access a share on a Samba server is by ma##in$ (mountin$) a share1
-#en ,y 4om#uter or B)#lorer on the 0indows system and click Map Network
Drive from one of the dro#'down lists on the menubar (found on the TooIs menu on
0indows &)1 0indows dis#lays the ,a# Network +rive window1 Select an unused
0indows drive letter from the list bo) labeled Drive and enter the 0indows #ath to the
share you want to ma# in the te)t bo) labeled FoIder1 The format of the windows #ath is
10.5.2 Windows from Linux
Samba enables you to view and work with files on a 0indows system (client) from a
(inu) system (server)1 This section discusses several ways of accessin$ 0indows files
from (inu)1
smbtree: DispIays Windows Shares
The smbtree utility dis#lays a hierarchical dia$ram of available shares1 0hen you
run smbtree, it #rom#ts you for a #assword3 do not enter a #assword if you want to
browse shares that are visible to the guest user1 The #assword allows you to view
restricted shares, such as a userDs home directory in the [homes] share1 Followin$ is
sam#le out#ut from smbtree8

smbcIient: Connects to Windows Shares
The smbclient utility functions similarly to ft# (#a$e ;EJ) and connects to a 0indows
share1 7owever, smbclient uses (inu)'style forward slashes (/) as #ath se#arators rather
than 0indows'style backslashes (\)1 The ne)t e)am#le connects to one of the
shares dis#layed in the #recedin$ e)am#le8
6ou can use most ft# commands from smbclient1 <ive the command heIp to dis#lay a
list of commands or heIp followed by a command for information on a s#ecific command8
smb: \> heIp history
HELP history8 dis#lays the command history
10.5.3 TroubIeshooting
Samba #rovides two utilities that can hel# troubleshoot a connection8 test#arm
checks the synta) of /etc/samba/smb.conf and dis#lays its contents3 smbstatus
dis#lays a re#ort on o#en Samba connections1
The followin$ ste#s can hel# you narrow down the #roblem when you cannot $et
Samba to work1
"estart the Samba daemons1 ,ake sure smbd is runnin$1
9 sudo service smbd restart
smbd start.runnin$, #rocess ::/@
"un test#arm to confirm that the smb.conf file is syntactically correct8
9 testparm
(oad smb confi$ files from .etc.samba.smb1conf
rocessin$ section =G#rintersH=
rocessin$ section =G#rint9H=
rocessin$ section =G#l/H=
(oaded services file -M1
Server role8 "-(BNSTAN+A(-NB
ress enter to see a dum# of your service definitions
6ou can i$nore an error messa$e about rIimit_max1 If you miss#ell a keyword
in smb.conf, you $et an error such as the followin$8
9 testparm
(oad smb confi$ files from .etc.samba.smb1conf
%nknown #arameter encountered8 =work$ruo#=
I$norin$ unknown #arameter =work$ruo#=
From the Samba server, use smbclient with the -L o#tion followed by the name of the
server to $enerate a list of shares offered by the server8

10.6 ConcIusion
Samba is a suite of #ro$rams that enables (inu) and 0indows to share directory
hierarchies and #rinters1 A directory hierarchy or #rinter that is shared between (inu)
and 0indows systems is called a share1 To access a share on a (inu) system,
a 0indows user must su##ly a username and #assword1 %sernames must corres#ond
to (inu) usernames either directly or as ma##ed by the file that is #ointed to by the
username map #arameter in smb.conf, often /etc/samba/smbusers1 Samba
#asswords are $enerated by smb#asswd1
The main Samba confi$uration file is /etc/samba/smb.conf, which you can edit
usin$ the Shared Folders window, swat (a 0eb'based administration utility), or a te)t
editor1 The swat utility is a #owerful confi$uration tool that #rovides inte$rated online
documentation and clickable default values to hel# you set u# Samba1 From a 0indows
machine, you can access a share on a (inu) Samba server by o#enin$ ,y 4om#uter or
B)#lorer and, in the te)t bo) labeled Address, enterin$ \\ followed by the name of the
server1 In res#onse, 0indows dis#lays the shares on the server1 6ou can work with
these shares as thou$h they were 0indows files1 From a (inu) system, you can use any
of several Samba tools to access 0indows shares1 These tools include smbtree
(dis#lays shares), smbclient (similar to ft#), and mount with the -t cifs o#tion (mounts
shares)1 In addition, you can enter smb:/// in the Nautilus location bar and browse the
10.7 Reference
A PracticaI Guide to Linux, Author - Mark G SobeII, Chapter 23 SAMBA, Pg no.
Ubuntu Guide -
NFS (Network FiIe system)
10.8 Introduction
The NFS (Network File system) #rotocol, a %NI& de facto standard develo#ed by Sun
,icrosystems, allows a server to share selected local directory hierarchies with client
systems on a hetero$eneous network1 NFS runs on %NI&, +-S, 0indows, C,S,
(inu), and more1 Files on the remote com#uter (the fileserver) a##ear as if they are
#resent on the local system (the client)1 ,ost of the time, the #hysical location of a file is
irrelevant to an NFS user3 all standard (inu) utilities work with NFS remote files the
same way as they o#erate with local files1 NFS reduces stora$e needs and system
administration workload1 As an e)am#le, each system in a com#any traditionally holds
its own co#y of an a##lication #ro$ram1 To u#$rade the #ro$ram, the administrator
needs to u#$rade it on each system1 NFS allows you to store a co#y of a #ro$ram on a
sin$le system and $ive other users access to it over the network1 This scenario
minimiLes stora$e re5uirements by reducin$ the number of locations that need to
maintain the same data1 In addition to boostin$ efficiency, NFS $ives users on the
network access to the same data (not >ust a##lication #ro$rams), thereby im#rovin$ data
consistency and reliability1 *y consolidatin$ data, it reduces administrative overhead and
#rovides a convenience to users1 This cha#ter covers NFSvF1

DiskIess systems
In many com#uter facilities, user files are stored on a central fileserver e5ui##ed with
many lar$e'ca#acity disk drives and devices that 5uickly and easily make backu# co#ies
of the data1 A diskless system boots from a fileserver (netbootsO discussed ne)t) or a
4+.+C+ and loads system software from a fileserver1 The (inu) Terminal Server ro>ect
((TS1or$) 0eb site says it all8 P(inu) makes a $reat #latform for de#loyin$ diskless
workstations that boot from a network server1 The (TS is all about runnin$ thin client
com#uters in a (inu) environment1Q *ecause a diskless workstation does not re5uire a
lot of com#utin$ #ower, you can $ive older, retired com#uters a second life by usin$
them as diskless systems1
6ou can netboot systems that are a##ro#riately set u#1 Sedultiy includes the &B
(reboot B)ecution Bnvironment3 pxe #acka$e) server #acka$e for netbootin$ Intel
systems1 -lder systems sometimes use tft# (Trivial File Transfer rotocol3 tftp and tftpd
#acka$es) for netbootin$1 Non'Intel architectures have historically included netboot
ca#abilities, which %buntu (inu) also su##orts1 In addition, you can build the (inu)
kernel so it mounts root (/) usin$ NFS1 <iven the many ways to set u# a system, the one
you choose de#ends on what you want to do1
DataIess systems
Another ty#e of (inu) system is a dataless system, in which the client has a disk but
stores no user data (only (inu) and the a##lications are ke#t on the disk)1 Settin$
u# this ty#e of system is a matter of choosin$ which directory hierarchies are mounted
df: shows where directory hierarchies are mounted
The df utility dis#lays a list of the directory hierarchies available on the system, alon$
with the amount of disk s#ace, free and used, on each1 The -h (human) o#tion makes
the out#ut more intelli$ible1 +evice names in the left column that are #re#ended with
hostname: s#ecify file systems that are available throu$h NFS1

10.9 Working with NFS CIient
This section describes how to set u# an NFS client, mount remote directory hierarchies,
and im#rove NFS #erformance1
10.9.1 Prerequisites
Installation Install the followin$ #acka$e
K nfs-common
Portmap ' The #ortma# utility (which is #art of the portmap #acka$e and is installed as
a de#endency when you install nfs-common3 #a$e :@;) must be runnin$ to enable
reliable file lockin$1
nfs-common init script - 0hen you install the nfs-common #acka$e, the dpkg
postinst scri#t starts the daemons that an NFS client re5uires
10.9.2 Mounting a remote Directory
To set u# an NFS client, mount the remote directory hierarchy the same way you
mount a local directory hierarchy
The followin$ e)am#les show two ways to mount a remote directory hierarchy,
assumin$ dog is on the same network as the local system and is sharin$ /home and
/export with the local system1 The /export directory on dog holds two directory
hierarchies you want to mount8 /export/progs and /export/oracIe1 The e)am#le
mounts dogDs /home directory on /dog.home on the local system, /export/progs on
/apps, and /export/oracIe on /oracIe1
First run mkdir on the local (client) system to create the directories that are the
mount #oints for the remote directory hierarchies8
9 sudo mkdir /dog.home /apps /oracIe
6ou can mount any directory hierarchy from an e)#orted directory hierarchy1 In
this e)am#le, dog e)#orts /export and the local system mounts /export/progs and
/export/oracIe1 The followin$ commands manually mount the directory hierarchies
one time8
9 sudo mount dog:/home /dog.home
9 sudo mount -o ro,nosuid dog:/export/progs /apps
9 sudo mount -o ro dog:/export/oracIe /oracIe
If you receive the error mount: RPC: Program not registered, it may mean NFS is
not runnin$ on the server1
*y default, directory hierarchies are mounted read'write, assumin$ the NFS server
is e)#ortin$ them with read'write #ermissions1 The first of the #recedin$ commands
mounts the /home directory hierarchy from dog on the local directory /dog.home1
The second and third commands use the -o ro o#tion to force a readonly mount1
The second command adds the nosuid o#tion, which forces setuid (#a$e /AE)
e)ecutables n the mounted directory hierarchy to run with re$ular #ermissions on the
local system1
No suid option
If a user has the ability to run a setuid #ro$ram, that user has the #ower of a user
with root #rivile$es1 This ability should be limited1 %nless you know a user will
need to run a #ro$ram with setuid #ermissions from a mounted directory hierarchy,
always mount a directory hierarchy with the nosuid o#tion1 For e)am#le, you
would need to mount a directory hierarchy with setuid #rivile$es when the root #artition
of a diskless workstation is mounted usin$ NFS1
No udev option
,ountin$ a device file creates another #otential security hole1 Althou$h the best
#olicy is not to mount untrustworthy directory hierarchies, it is not always #ossible
to im#lement this #olicy1 %nless a user needs to use a device on a mounted
directory hierarchy, mount directory hierarchies with the nodev o#tion, which #revents
character and block s#ecial files on the mounted directory hierarchy from bein$ used as
Fstab fiIe
If you mount directory hierarchies fre5uently, you can add entries for the directory
hierarchies to the /etc/fstab file (#a$e JEA)1 (Alternatively, you can use automount3
see #a$e J?/1) The followin$ /etc/fstab entries automatically mount the same directory
hierarchies as in the #revious e)am#le at the same time that the system mounts
the local filesystems8
$ cat /etc/fstab
dog:/home /dog.home nfs rw 0 0
dog:/export/progs /apps nfs ro,nosuid 0 0
dog:/export/oracIe /oracIe nfs ro 0 0
A file mounted usin$ NFS is always of ty#e nfs on the local system, re$ardless of
what ty#e it is on the remote system1 Ty#ically you do not run fsck on or back u# an
NFS directory hierarchy1 The entries in the third, fifth, and si)th columns of fstab
are usually nfs (filesystem ty#e), 0 (do not back u# this directory hierarchy with
dum# and 0 (do not run fsck on this directory hierarchy)1The o#tions for mountin$ an
NFS directory hierarchy differ from those for mountin$ an ext4 or other ty#e of
10.10 Setting up a NFS Server
This section deals with settin$ u# an NFS (Network Filesystem) Server1
10.10.1 Prerequisites
Installation Install the followin$ #acka$e8
K nfs-kerneI-server
portmap ' The #ortma# utility (which is #art of the portmap #acka$e and is installed as
a de#endency when you install nfs-kerneI-server3 #a$e :@;) must be runnin$ to enable
reliable file lockin$1
nfs-kerneI-server init script

0hen you install the nfs-kerneI-server #acka$e, the dpkg postinst scri#t starts the
nfsd (the NFS kernel) daemon1 After you confi$ure NFS, call the nfs-kerneI-server
init scri#t to ree)#ort directory hierarchies and restart the nfsd daemon1
$ sudo service nfs-kerneI-server restart
* Stopping NFS kerneI daemon [ OK ]
* Unexporting directories for NFS kerneI daemon... [ OK ]
* Exporting directories for NFS kerneI daemon... [ OK ]
* Starting NFS kerneI daemon [ OK ]
After chan$in$ the NFS confi$uration on an active server, use reIoad in #lace of restart
to ree)#ort directory hierarchies without disturbin$ clients connected to the server1
10.10.2 ManuaIIy Exporting a Directory hierarchy
B)#ortin$ a directory hierarchy makes the directory hierarchy available for mountin$
by desi$nated systems via a network1 PB)#ortedQ does not mean PmountedQ8
0hen a directory hierarchy is e)#orted, it is #laced in the list of directory hierarchies
that can be mounted by other systems1 An e)#orted directory hierarchy may
be mounted (or not) at any $iven time1
A mounted directory hierarchy whose mount #oint is within an e)#orted #artition
is not e)#orted with the e)#orted #artition1 6ou need to e)#licitly e)#ort each
directory hierarchy you want e)#orted, even if it resides within an already e)#orted
directory hierarchy1 For e)am#le, assume two directory hierarchies, /opt/apps and
/opt/apps/oracIe, reside on two #artitions1 6ou must e)#ort each directory hierarchy
e)#licitly, even thou$h oracIe is a subdirectory of apps1 ,ost other subdirectories
and files are e)#orted automatically1
/etc/exports: HoIds the Iist of the exported shares
The /etc/exports file is the access control list for e)#orted directory hierarchies that
NFS clients can mount3 it is the only file you need to edit to set u# an NFS server1
The e)#ortfs utility (#a$e J?A) reads this file when it u#dates the files in /var/Iib/nfs
(#a$e JE?), which the kernel uses to kee# its mount table current1 The exports file
controls the followin$ NFS characteristics8
Which cIients can access the server
Which directory hierarchies on the server each cIient can access
How each cIient can access each directory hierarchy?
How cIient usernames are mapped to server usernames
Various NFS parameters
Bach line in the exports file has the followin$ format8
export-point cIient1(option-Iist) GcIient2(option-Iist) 111 H
where export-point is the absolute #athname of the root directory of the directory
hierarchy to be e)#orted1 The cIient1-n are the names or I addresses of one or
more clients, se#arated by SA4Bs, that are allowed to mount the export-point1 The
option-Iist, described in the ne)t section, is a comma'se#arated list of o#tions that
a##lies to the #recedin$ cIient3 it must not contain any SA4Bs1 There must not be any
SA4B between each client name and the o#en #arenthesis that starts the option-Iist1
6ou can either use shares'admin to make chan$es to exports or edit this
file manually1 The followin$ exports file $ives grape read and write access to /home,
and jam and the system at A?/1A;E1@1A/ read and write access to /pI68
$ cat /etc/exports
/home grape(rw,no_subtree_check)
/pI6,no_subtree_check) jam(rw,no_subtree_check)
The s#ecified directories are on the local server1 In each case, access is im#licitly
$ranted for the directory hierarchy rooted at the e)#orted directory1 6ou can s#ecify
I addresses or hostnames and you can s#ecify more than one client system on a
line1 *y default, directory hierarchies are e)#orted in readonly mode1 The current
version of e)#ortfs com#lains when you do not s#ecify either subtree_check or
Allows a directory to be e)#orted only if it has been mounted1 This o#tion #revents
a mount #oint that does not have a directory hierarchy mounted on it from bein$
e)#orted and #revents the underlyin$ mount #oint from bein$ e)#orted1 Also mp1
nohide (hide)
0hen a server e)#orts two directory hierarchies, one of which is mounted on the
other, a client has to mount both directory hierarchies e)#licitly to access both1
0hen the second (child) directory hierarchy is not e)#licitly mounted, its mount
#oint a##ears as an em#ty directory and the directory hierarchy is hidden1 The
nohide o#tion causes the underlyin$ second directory hierarchy to a##ear when it is
not e)#licitly mounted, but this o#tion does not work in all cases1
ro (rw) (readonIy)
ermits only read re5uests on an NFS directory hierarchy1 %se rw to #ermit read and
write re5uests1
sync (async) (synchronize)
S#ecifies that the server should re#ly to re5uests only after disk chan$es made by the
re5uest are written to disk1 The async o#tion s#ecifies that the server does not have to
wait for information to be written to disk and can im#rove #erformance, albeit at the cost
of #ossible data corru#tion if the server crashes or the connection is interru#ted1
Bach user has a %I+ number and a #rimary <I+ number on the local system1 The
local /etc/passwd and /etc/group files may ma# these numbers to names1 0hen a
user makes a re5uest of an NFS server, the server uses these numbers to identify the
user on the remote system, raisin$ several issues8
The user may not have the same ID numbers on both systems. As a
consequence, the user may have owner access to fiIes of another user and not
have owner access to his own fiIes.
You may not want a user with root priviIeges on the cIient system to have
owner access to root-owned fiIes on the server.
You may not want a remote user to have owner access to some important
system fiIes that are not owned by root (such as those owned by bin).
Owner access to a file means that the remote user can e)ecute orOworseOmodify
the file1 NFS $ives you two ways to deal with these cases8
You can use the root_squash option to map the ID number of the root
account on a cIient to UID 65534 on the server.
You can use the aII-squash option to map aII NFS users on the cIient to
UID 65534 on the server.
%se the anonuid and anongid o#tions to override these values1
root_squash (no_root_squash)
,a#s re5uests from root on a remote system so they a##ear to come from the %I+
;RRF:, a non#rivile$ed user on the local system, or as s#ecified by anonuid1 This
o#tion does not affect other sensitive %I+s such as bin1 The no_root_squash o#tion
turns off this ma##in$ so that re5uests from root a##ear to come from root1
+oes not chan$e the ma##in$ of users makin$ re5uests of the NFS server1 The
aII_squash o#tion ma#s re5uests from all usersOnot >ust rootOon remote systems
to a##ear to come from the %I+ ;RRF:, a non#rivile$ed user on the local system, or
as s#ecified by anonuid1 This o#tion is useful for controllin$ access to e)#orted
#ublic FT, news, and other directories1
10.11 Where does system keeps NFS Mount Information
A server holds several lists of directory hierarchies it can e)#ort1 The list that you as
a system administrator work with is /etc/exports1 The followin$ discussion assumes
that the local server, pIum, is e)#ortin$ these directory hierarchies8
$ cat /etc/exports
/home grape(rw,no_subtree_check)
/pI6,no_subtree_check) jam(rw,no_subtree_check)
e)#ortfs dis#lays the list of e)#orted directory hierarchies8
$ exportfs
/home grape
/pI6 jam
The im#ortant files and #seudofiles that NFS works with are described ne)t1
/var/Iib/nfs/etab (e)#ort table) -n the server, lists the directory hierarchies that are
e)#orted (can be mounted, but are not necessarily mounted at the moment) and the
o#tions they are e)#orted with8
$ cat /var/Iib/nfs/etab
/home grape(rw,sync,wdeIay,hide,nocrossmnt,secure,root_squash,
/pI6 jam(rw,sync,wdeIay,hide,nocrossmnt,secure,root_squash,
The #recedin$ out#ut shows that grape can mount /home and that jam and
A?/1A;E1@1A/ can mount /pI61 The etab file is initialiLed from /etc/exports when the
system is brou$ht u#, read by mountd when a client asks to mount a directory
and modified by e)#ortfs as the list of e)#orted directory hierarchies
/var/Iib/nfs/rmtab (remote mount table) -n the server, lists the directory hierarchies that
are mounted by client systems8
$ cat /var/Iib/nfs/rmtab
The #recedin$ out#ut shows /pI6 is mounted by A?/1A;E1@1A/1 The rmtab file is
u#dated by mountd as it mounts and unmounts directory hierarchies1 This file is
Pmostly ornamentalQ (from the mountd man #a$e) and may not be accurate1
/proc/mounts -n the client, this #seudofile dis#lays the kernel mount table, which lists
filesystems mounted by the local system1 In the followin$ e)am#le, $re# dis#lays lines
that contain the strin$ nfs followed by a SA4B1 The SA4B, which you must 5uote,
eliminates lines with the strin$ nfs that do not #ertain to mounted filesystems1
$ grep nfs\ /proc/mounts
pIum:/pI6 /mnt nfs rw,vers=3,rsize=131072,wsize=131072,hard,intr,proto=
tcp,timeo=600,retrans=2,sec=sys,addr=pIum 0 0
10.12 Showmount: DispIays NFS status Information
0ithout any o#tions, the showmount utility dis#lays a list of systems that are
allowed to mount local directories1 6ou ty#ically use showmount to dis#lay a list of
directory hierarchies that a server is e)#ortin$1 To dis#lay information for a remote
system, $ive the name of the remote system as an ar$ument1 The information
showmount #rovides may not be com#lete, however, because it de#ends on mountd
and trusts that remote servers are re#ortin$ accurately1
In the followin$ e)am#le, A?/1A;E1@1A/ is allowed to mount local directories, but
you do not know which ones8
$ showmount
Hosts on pIum:
If showmount dis#lays an error such as RPC: Program not registered, NFS is not
runnin$ on the server1 Start NFS on the server with the nfs-kerneI-server init scri#t
-a (aII) +is#lays a list of client systems and indicates which directories each client
system can mount1 This information is stored in /etc/exports1 In the followin$ e)am#le,
showmount lists the directories that A?/1A;E1@1A/ can mount from the local
$ /sbin/showmount -a
AII mount points on pIum:
-e (exports) +is#lays a list of e)#orted directories and the systems that each directory
is e)#orted to1
$ showmount -e
Export Iist for pIum:
10.12.1 exportfs: Maintains the Iist of exported directories
The e)#ortfs utility maintains the /var/Iib/nfs/etab file (#a$e JE?)1 0hen mountd is
called, it checks this file to see if it is allowed to mount the re5uested directory hierarchy1
Ty#ically e)#ortfs is called with sim#le o#tions and modifies the etab file
based on chan$es in /etc/exports1 0hen called with client and directory ar$uments,
it can add to or remove the directory hierarchies s#ecified by those ar$uments from
the list ke#t in etab, without reference to the exports file1 An e)#ortfs command has
the followin$ format8
/usr/sbin/exportfs [options] [cIient:dir ...]
where options is one or more o#tions (as discussed in the ne)t section), client is the
name of the system that dir is e)#orted to, and dir is the absolute #athname of the
directory at the root of the directory hierarchy bein$ e)#orted1 0ithout any ar$uments,
e)#ortfs re#orts which directory hierarchies are e)#orted to which systems8
$ exportfs
/home grape
/pI6 jam
The system e)ecutes the followin$ command when it comes u# (it is in the nfskerneI-
server init scri#t)1 This command ree)#orts the entries in /etc/exports and
removes invalid entries from /var/Iib/nfs/etab so etab is synchroniLed with /etc/exports8
$ sudo exportfs -r
-a (aII) B)#orts directory hierarchies s#ecified in /etc.exports1 This o#tion does not
unexport entries you have removed from exports (that is, it does not remove invalid
entries from /var/Iib/nfs/etab)3 use -r to #erform this task1
-f (fIush) "emoves everythin$ from the kernelDs e)#ort table1
-i (ignore) I$nores /etc.exports3 uses what is s#ecified on the command line only1
-o (options) S#ecifies o#tions1 6ou can s#ecify o#tions followin$ -o the same way you
do in the exports file1 For e)am#le, exportfs -i -o ro dog:/home/sam e)#orts
/home.sam on the local system to dog for readonly access1
-r (reexport) "ee)#orts the entries in /etc/exports and removes invalid entries from
/var/Iib/nfs/etab so /var/Iib/nfs/etab is synchroniLed with /etc/exports1
-u (unexport) ,akes an e)#orted directory hierarchy no lon$er e)#orted1 If a directory
hierarchy is mounted when you une)#ort it, users see the messa$e StaIe NFS
fiIe handIe when they try to access the directory hierarchy from a remote system1
-v (verbose) rovides more information1 +is#lays e)#ort o#tions when you use e)#ortfs
to dis#lay e)#ort information1
10.13 Testing the Server Setup
From the server, run the nfs-kerneI-server init scri#t with an ar$ument of status1 If
all is well, the system dis#lays the followin$8
$ service nfs-kerneI-server status
nfsd running
Also check that mountd is runnin$8
$ ps -e | grep mountd
29609 ? 00:00:00 rpc.mountd
Ne)t, from the server, use r#cinfo to make sure NFS is re$istered with #ortma#8
9 rpcinfo -p IocaIhost | grep nfs
A@@@@F / ud# /@:? nfs
A@@@@F F ud# /@:? nfs
A@@@@F : ud# /@:? nfs
A@@@@F / tc# /@:? nfs
A@@@@F F tc# /@:? nfs
A@@@@F : tc# /@:? nfs
"e#eat the #recedin$ command from the client, re#lacin$ IocaIhost with the name
of the server1 The results should be the same1Finally, try mountin$ directory hierarchies
from remote systems and verify access1
10.14 ConcIusion
NFS allows a server to share selected local directory hierarchies with client systems
on a hetero$eneous network, thereby reducin$ stora$e needs and administrative
overhead1 NFS defines a client.server relationshi# in which a server #rovides directory
hierarchies that clients can mount1
-n the server, the /etc/exports file ty#ically lists the directory hierarchies that the
system e)#orts1 Bach line in exports s#ecifies a directory hierarchy and the client
systems that are allowed to mount it, includin$ o#tions for each client (readonly,
read'write, and so on)1 An exportfs -r command causes NFS to reread this file1
From a client, a mount command mounts an e)#orted NFS directory hierarchy1
Alternatively, you can #ut an entry in /etc/fstab to have the system automatically
mount the directory hierarchy when it boots1
Automatically mounted directory hierarchies hel# mana$e lar$e $rou#s of systems
containin$ many servers and filesystems in a consistent way and can hel# remove
serverserver de#endencies1 The automount daemon automatically mounts autofs
directory hierarchies when they are needed and unmounts them when they are no
lon$er needed1
10.15 References
A practicaI guide to Linux, Author- Mark G SobeII, CH - NFS: Sharing FiIesystems,
Pg- 776-795,
Ubuntu guide, http://www.ubuntu$
FTP (FiIe Transfer ProtocoI)
10.16 Introduction
File Transfer rotocol is a method of downloadin$ files from and u#loadin$ files to
another system usin$ T4.I over a network1 File Transfer rotocol is the name of a
client.server #rotocol (FT) and a client utility (ft#) that invokes the #rotocol1
In addition to the ori$inal ft# utility, there are many te)tual and $ra#hical FT client
#ro$rams, includin$ most browsers, that run under many different o#eratin$ systems1
There are also many FT server #ro$rams1
This cha#ter starts with an introduction to FT which discusses security, describes
ty#es of FT connections, and #resents a list of FT clients
10.16.1 History
First im#lemented under :1/*S+, FT has #layed an essential role in the #ro#a$ation
of (inu)3 this #rotocol.#ro$ram is fre5uently used to distribute free software1
The term !P site refers to an FT server that is connected to a network, usually the
Internet1 FT sites can be #ublic, allowin$ anonymous users to lo$ in and download
software and documentation1 In contrast, #rivate FT sites re5uire you to lo$ in
with a username and #assword1 Some sites allow you to u#load #ro$rams1
10.16.2 Proftpd
roFT+ is a #roven, hi$h'#erformance, scalable FT server written from scratch, with
a focus toward sim#licity, security, and ease of confi$uration1 Naturally, roFT+
#owers some of the lar$est sites on the Internet1 It features a very A#ache'like
confi$uration synta), modules, and a hi$hly customiLable server infrastructure, includin$
su##ort for multi#le SvirtualD FT servers, anonymous FT, and #ermission'based
directory visibility1
ProFTPD Features
Sin$le main confi$uration file, with directives and directive $rou#s which are
intuitive to any administrator who has ever used the A#ache web server1
er directory P1ft#accessQ confi$uration similar to A#acheDs P1htaccessQ1
Basy to confi$ure multi#le virtual FT servers and anonymous FT services1
+esi$ned to run either as a stand'alone server or from inetd.)inetd, de#endin$
on system load1
Anonymous FT root directories do not re5uire any s#ecific directory structure,
system binaries or other system files1
No SITB B&B4 command1 In modern Internet environments, such commands
are a security ni$htmare1 roFT+ does not e)ecute any e)ternal #ro$rams at
any time1 The source is available (and must always be available) for
administrators to audit1
7idden directories and files, based on %ni)'style #ermissions or user.$rou#
"uns as a confi$urable non'#rivile$ed user in stand'alone mode in order to
decrease chances of attacks which mi$ht e)#loit its ProotQ abilities1 Note8 This
feature is de#endent on the ca#abilities of the host %ni) system1
(o$$in$ and utm#.wtm# su##ort1 (o$$in$ is com#atible with the wu'ft#d
standard, with e)tended lo$$in$ available1
Shadow #assword suite su##ort, includin$ su##ort for e)#ired accounts1
,odular desi$n, allowin$ server to be e)tended easily with modules1 ,odules
have been written for S2( databases, (+A servers, SS(.T(S encry#tion,
"A+I%S su##ort, etc1
Iv; su##ort1
10.16.3 Setting up Proftpd.
Install #roft#d with this command8
# sudo apt-get instaII proftpd
Configuring Proftpd
(et us start with the confi$uration of roft#d1
STEP1- First add this line to /etc/sheIIs, you may do this by editin$ the file usin$ vim or

STEP2- 4reate a directory in /home. (et us assume the directory to be shared1
# cd /home
# mkdir shared
STEP3- 4reate a user named userftp which will be used only for ft# access1 This user
doesnDt need a valid shell (more secure) therefore select .bin.false shell for userftp and
/home/ shared as home directory1
# useradd userftp -p password -d /home/shared -s /bin/faIse
# passwd userftp
STEP4- In FT'shared directory create a downIoad and an upIoad directory and set
the #ermissions1
# cd /home/shared ; To move to the location of userft# home directory
/home/shared# mkdir downIoad upIoad; To create directories in .home.shared
Then provide the permissions to the foIders:
# chmod 755 /home/shared
#cd /home/shared
/home/shared# chmod 755 downIoad
/home/shared# chmod 777upIoad

After the above tasks you may see the #ermissions a##lied to the folders and hierarchy
STEP5- Now $o to the #roft#d confi$uration file1
# To reaIIy appIy changes reIoad proftpd after modifications.
# Choose here the user aIias you want !!!!
UserAIias userftp
ServerName "ChezFrodon"
ServerType standaIone
DeferWeIcome on
MuItiIineRFC2228 on
DefauItServer on
ShowSymIinks off
TimeoutNoTransfer 600
TimeoutStaIIed 100
TimeoutIdIe 2200
DispIayChdir .message
ListOptions "-I"
RequireVaIidSheII off
TimeoutLogin 20
RootLogin off
# It's better for debug to create Iog fiIes ;-)
ExtendedLog /var/Iog/ftp.Iog
TransferLog /var/Iog/xferIog
SystemLog /var/Iog/sysIog.Iog
#DenyFiIter \*.*/
# I don't choose to use /etc/ftpusers fiIe (set inside the users you want to
ban, not usefuI for me)
UseFtpUsers off
# AIIow to restart a downIoad
AIIowStoreRestart on
# Port 21 is the standard FTP port, so you may prefer to use another port
for security reasons (choose here the port you want)
Port 21
# To prevent DoS attacks, set the maximum number of chiId processes
# to 30. If you need to aIIow more than 30 concurrent connections
# at once, simpIy increase this vaIue. Note that this ONLY works
# in standaIone mode, in inetd mode you shouId use an inetd server
# that aIIows you to Iimit maximum number of processes per service
# (such as xinetd)
MaxInstances 8
# Set the user and group that the server normaIIy runs at.
User nobody
Group nogroup
# Umask 022 is a good standard umask to prevent new fiIes and dirs
# (second parm) from being group and worId writabIe.
Umask 022 022
PersistentPasswd off
MaxCIients 8
MaxCIientsPerHost 8
MaxCIientsPerUser 8
MaxHostsPerUser 8
# DispIay a message after a successfuI Iogin
AccessGrantMsg "weIcome !!!"
# This message is dispIayed for each access good or not
ServerIdent on "you're at home"
# Lock aII the users in home directory, ***** reaIIy important *****
DefauItRoot ~
MaxLoginAttempts 5
<Limit LOGIN>
AIIowUser userftp
<Directory /home/shared>
Umask 022 022
AIIowOverwrite off
<Directory /home/shared/downIoad/*>
Umask 022 022
AIIowOverwrite off
<Directory /home/shared/upIoad/>
Umask 022 022
AIIowOverwrite on
STEP6- To START/ STOP or RESTART the server.
#/etc/init.d/proftpd stop
#/etc/init.d/proftpd start
#/etc/init.d/proftpd restart
ftp & vsftpd
Althou$h most FT clients are similar, the servers differ 5uite a bit1 This cha#ter
describes the ft# client with references to sft#, a secure FT client1 It also covers the
FT server available under %buntu, which is named vsftpd (very secure FT daemon)1
ftp utiIity
The ft# utility is a user interface to FT, the standard #rotocol used to transfer files
between systems that communicate over a network1
10.17 Security
FT is not a secure #rotocol8 All usernames and #asswords e)chan$ed in settin$ u# an
FT connection are sent in clearte)t, data e)chan$ed over an FT connection is not
encry#ted, and the connection is sub>ect to hi>ackin$1 <iven these facts, FT is best
used for downloadin$ #ublic files1 In most cases, the -#enSS7 clients, ssh, sc#, and
sft#, offer secure alternatives to FT1
The vsftpd server does not make usernames, #asswords, data, and connections more
secure1 7owever, it is secure in that a malicious user finds it more difficult to
com#romise directly the system runnin$ it, even if vsftpd is #oorly im#lemented1 -ne
feature that makes vsftpd more secure than ftpd is the fact that it does not run with root
FT is not secure1 The sft# utility #rovides better security for all FT functions other than
allowin$ anonymous users to download information1 *ecause sft# uses an encry#ted
connection, user #asswords and data cannot be sniffed when you use this utility1 6ou
can re#lace all instances of ft# in this cha#ter with sft# because sft# uses the same
commands as ft#1
10.17.1 FTP Connections
FT uses two connections8 one for control (you establish this connection when you lo$
in on an FT server) and one for data transfer (FT sets u# this connection when you
ask it to transfer a file)1 An FT server listens for incomin$ connections on #ort /A by
default and handles user authentication and file e)chan$e1
Passive versus Active Connection
A client can ask an FT server to establish either a ASC (#assiveO$ive the command
ftp -p or pftp) or a -"T (activeOthe default when you use ftp) connection for data
transfer1 Some servers are limited to one ty#e of connection1 The difference between a
#assive and an active FT connection lies in whether the client or the server initiates
the data connection1 In #assive mode, the client initiates the connection to the server
(on #ort /@ by default)3 in active mode, the server initiates the connection (there is no
default #ort1 Neither a##roach is inherently more secure than the other1 assive
connections are more common because a client behind a NAT can connect to a #assive
server and it is sim#ler to #ro$ram a scalable #assive server1
10.17.2 FTP CIients
ftp %buntu su##lies several FT clients, includin$ ft# (an older version of the *S+ ft#
utility)1 This section discusses ft# because most other FT clients, includin$ sft# and
sftp art of the -#enSS7 suite, sft# (openssh-cIient #acka$e) is a secure and
functionally e5uivalent alternative to ft#1 The sft# utility is not a true FT clientOit does
not understand the FT #rotocol1 It ma#s ft# commands to -#enSS7 commands
Iftp The lft# utility (Iftp #acka$e) #rovides the same security as sft# but offers more
gFTP The $ft# utility (gftp #acka$e) is a $ra#hical client that works with FT, SS7, and
7TT servers1 This client has many useful features, includin$ the ability to resume
an interru#ted file transfer1 See www1$ft#1or$ and freshmeat1net.#ro>ects.$ft# for
more information1
NcFTP The ncft# utility (ncftp #acka$e) is a te)tual client that offers many more features
than ft#, includin$ filename com#letion and command'line editin$1 For details see
www1ncft#1com and freshmeat1net.#ro>ects.ncft#1
10.18 Setting up an FTP Server
This section e)#lains how to set u# an FT server im#lemented by the vsftpd daemon
Install the followin$ #acka$e8
K vsftpd

vsftpd init scri#t 0hen you install the vsftpd #acka$e, the dpkg postinst scri#t starts
the vsftpd daemon1 After you confi$ure vsftpd, $ive the followin$ initctl command to
restart the vsftpd daemon8
9 sudo restart vsftpd
vsft#d start.runnin$, #rocess AR:;
After chan$in$ the vsftpd confi$uration on an active server, use reIoad in #lace of
restart to reload the vsftpd confi$uration files without disturbin$ clients that are
connected to the server1
10.18.1 Anonymous FTP Configuration
*y default vsft#d is confi$ured to only allow anonymous download1 +urin$ installation a
ft# user is created with a home directory of .home.ft#1 This is the default FT directory1
If you wish to chan$e this location, to .srv.ft# for e)am#le, sim#ly create a directory in
another location and chan$e the ft# userTs home directory8
sudo mkdir /srv/ftp
sudo usermod -d /srv/ftp ftp
After makin$ the chan$e restart vsft#d8
sudo /etc/init.d/vsftpd restart
Finally, co#y any files and directories you would like to make available throu$h
anonymous FT to .srv.ft#
To confi$ure vsft#d to authenticate system users and allow them to u#load files edit .etc.
Now restart vsft#d8
sudo /etc/init.d/vsftpd restart
Now when system users lo$in to FT they will start in their home directories where they
can download, u#load, create directories, etc1
Similarly, by default, the anonymous users are not allowed to u#load files to FT server1
To chan$e this settin$, you should uncomment the followin$ line, and restart vsft#d8
sudo /etc/init.d/vsftpd restart
The confi$uration file consists of many confi$uration #arameters1 The information about
each #arameter is available in the confi$uration file1 Alternatively, you can refer to the
man #a$e, man R vsft#d1conf for details of each #arameter1
10.18.3 Securing FTP
There are o#tions in .etc.vsft#d1conf to hel# make vsft#d more secure1 For e)am#le
users can be limited to their home directories by uncommentin$8
6ou can also limit a s#ecific list of users to >ust their home directories8
After uncommentin$ the above o#tions, create a .etc.vsft#d1chrootNlist containin$ a list of
users one #er line1 Then restart vsft#d8
sudo /etc/init.d/vsftpd restart
Also, the .etc.ft#users file is a list of users that are disallowed FT access1 The default
list includes root, daemon, nobody, etc1 To disable FT access for additional users
sim#ly add them to the list1
10.18.4 Running the FTP and SFTP CIients
This section describes how to use the ft# and sft# FT clients1 The commands covered
here work with both utilities1The ft# and sft# utilities are installed on most systems1 6ou
can check for their #resence by $ivin$ either of these utilitiesD names as commands8
Install the ftp (contains ft# and #ft#) or openssh'cIient (contains sft#) #acka$e if
If you are not able to connect to the server, first make sure the server is runnin$8
9 ps -ef | grep vsftpd
root R;EA A @ A/8// U @@8@@8@@ .usr.sbin.vsft#d
sam ;;/? ;R?; @ A:8:? #ts./ @@8@@8@@ $re# vsft#d
If an anonymous user cannot lo$ in, check that #ermissions on /srv/ftp, or the home
directory of ft# as s#ecified in /etc/passwd, are set to JRR and that the directory is
not owned by ftp1 If the ftp user can write to /var/ftp, connections will fail1
$ Is -Id /srv/ftp
drwxr-xr-x 2 root ftp 4096 2010-04-01 14:56 /srv/ftp
-nce you are able to lo$ in from the local system, lo$ in from another systemO
either one on the (AN or another system with access to the server1 -n the command
line, use the hostname from within the (AN or the "D# from outside the (AN1 The
dialo$ should a##ear the same as in the #revious e)am#le1 If you cannot lo$ in from a
system that is not on the (AN, use #in$ to test the connection and make sure the firewall
is set u# to allow FT access1
10.18.5 Other Configuration FiIes
In addition to /etc/vsftpd.conf, the followin$ files control the functionin$ of vsftpd1
The directory hierarchy that user_config_dir #oints to is not included in this list
because it has no default name1
(ists users, one #er line, who are never allowed to lo$ in on the FT server, re$ardless
of how userIist_enabIe (#a$e J@/) is set and re$ardless of the users listed in the
user_Iist file1 The default file lists root, bin, daemon, and others1
(ists either the only users who can lo$ in on the server or the only users who are
not allowed to lo$ in on the server1 The userIist_enabIe (#a$e J@/) o#tion must be
set to 6BS for vsftpd to e)amine the list of users in this file1 Settin$ userIist_enabIe
to 6BS and userIist_deny (#a$e J@/) to 6BS (or not settin$ it) #revents listed users
from lo$$in$ in on the server1 Settin$ userIist_enabIe to 6BS and userIist_deny to
N- #ermits only the listed users to lo$ in on the server1
+e#endin$ on the chroot_Iist_enabIe (#a$e J@F) and chroot_IocaI_user (#a$e J@:)
settin$s, lists either users who are forced into a chroot >ail in their home directories
or users who are not #laced in a chroot >ail1
(o$ file1
10.19 ConcIusion
File Transfer rotocol is a #rotocol for downloadin$ files from and u#loadin$ files to
another system over a network1 FT is the name of both a client.server #rotocol
(FT) and a client utility (ft#) that invokes this #rotocol1 *ecause FT is not a secure
#rotocol, it should be used only to download #ublic information1 6ou can run the
vsftpd FT server in the restricted environment of a chroot >ail to make it si$nificantly
less likely that a malicious user can com#romise the system1
,any servers and clients im#lement the FT #rotocol1 The ft# utility is the ori$inal client
im#lementation3 sft# and lft# are secure im#lementations that use -#enSS7 facilities to
encry#t the connection1 Althou$h they do not understand the FT #rotocol, they ma#
ft# commands to -#enSS7 commands1 The vsftpd daemon is a secure FT server3 it
better #rotects the server from malicious users than do other FT servers1
ublic FT servers allow you to lo$ in as anonymous or ftp1 *y convention, you
su##ly your email address as a #assword when you lo$ in as an anonymous user1
ublic servers fre5uently have interestin$ files in the pub directory1
FT #rovides two modes of transferrin$ files8 binary and AS4II1 It is safe to use
binary mode to transfer all ty#es of files, includin$ AS4II files1 If you transfer a
binary file usin$ AS4II mode, the transfer will fail1
10.20 References
A PracticaI Guide To Linux, Author- Mark G RobseI, CH - 19 FTP, Pg . - 668-711.
Ubuntu Guide, htt#8..www1ubuntu$uide1com