Managing SMB/CIFS Networks with net

Samba 3.0 has been released -- it's the latest version of a server that's becomes an essential part of Linux. Samba is primarily a server for the Server Message Block (SMB) protocol (also known as the Common Internet File System, or CIFS), the protocol used by Windows computers for file and printer sharing. Using Samba, Linux systems seamlessly integrate into existing Windows networks. Without Samba, Linux couldn't serve as a "drop-in" replacement for Windows file and print servers.

Samba 3.0 has been released — it’s the latest version of a server that’s becomes an essential part of Linux. Samba is primarily a server for the Server Message Block (SMB) protocol (also known as the Common Internet File System, or CIFS), the protocol used by Windows computers for file and printer sharing. Using Samba, Linux systems seamlessly integrate into existing Windows networks. Without Samba, Linux couldn’t serve as a “drop-in” replacement for Windows file and print servers.

Samba 3.0 provides many improvements over the earlier 2.2.Ix series, including the ability to join Microsoft Active Directory (AD) domains, support for multiple password database back-ends, the ability to function as a backup domain controller (BDC) to a Samba primary domain controller (PDC), better support for Windows NT/2000/XP printing, Unicode filename support, domain trust support, a command for performing network maintenance, and more. If you need any of these features, upgrading to Samba 3.0 is a no-brainer. Even if you don’t need these features, you’ll probably upgrade eventually during with your next Linux distro upgrade, as Samba 3.0 becomes standard with new distributions.

This column is devoted to the net command, one of the new Samba features. net helps you perform maintenance operations on SMB/CIFS networks. Its goal is to replace several other Samba commands, such as smbpasswd. Although Samba 3.0′s net command can’t yet do everything it might eventually do, it can handle many important duties. Learning about it is important for managing the new version of Samba, and net will likely become even more important in the future.

The Purpose of net

DOS and Windows have long included a command called NET, which handles mounting and unmounting SMB/CIFS shares, setting the time from a time server, and so on. Samba’s new net command is modeled loosely on the DOS/Windows NET, but many of the details differ. Some features of the new Samba net may seem familiar, but others won’t. Broadly speaking, the functions of Samba’s net include account maintenance, domain functions, server functions, and time functions. These features are described in more detail shortly.

Many of net‘s features are geared toward domain operations. These functions help Samba operate on a Windows NT4-style domain or a new AD domain. Other functions are useful even in a workgroup configuration, either to control the local computer or other servers on the network.

Basic Syntax for net

The net command accepts parameters and subcommands that tell it what to do. The general syntax for the command is:


The specification of ADS, RPC, or RAP tells the utility whether to try to communicate with other systems using AD, Remote Procedure Call (RPC), or Remote Access Protocol (RAP). In most cases, net can figure out which method to use, but if a command doesn’t work, you can specify which method you think is needed.

However, a few commands work with only one or two of these communication methods. ADS is most useful on networks that use Windows 200x domain controllers; RPC is useful on domains controlled by Samba, Windows NT 4.0, and some Windows 2000 controllers; and RAP is useful when communicating with Windows 9x/Me and Windows NT 3.x systems.

The commands are described shortly. The parameters modify the action of the tool. The most important of these are:

* -h or –help. This parameter displays help on use of net.

* -s config-file. Normally, net takes various parameters from the normal smb.conf configuration file. However, you can point the tool at another configuration file with this option.

* -I ip-address. You can provide the IP address of a server or domain controller with this parameter.

* -S server-name. You can specify the name of the server or domain controller with this parameter.

* -w workgroup. This parameter sets the target workgroup or domain — the one you want to modify.

* -W workgroup. Specify the workgroup that the client claims to be with this parameter.

* -n netbios-name. Provide the NetBIOS name that the client claims to be with this parameter.

* -U username. This parameter sets the username you want to use for your operations.

* -P. Using this parameter, you can tell net to query the external server using the local system’s machine account.

* -l. This parameter produces long (verbose) output, providing you with more information.

* -d debuglevel. This parameter sets the debug level. It accepts a value of from 0 to 10 and overrides the log level parameter in smb.conf.

As a general rule, you’ll include one of the -I, -S, or -w parameters so that the tool knows what remote system to contact. (In the case of -w, net must scan the local network for the domain controller, which sometimes doesn’t work as well as specifying a machine with -I or -S.) Sometimes net can locate the correct system to contact automatically, though. All of these parameters are case-sensitive, and some have opposite-case equivalents, so be sure to type the case correctly!

Using net Commands

The bulk of net‘s features are its many commands. Some of these commands take subcommands and additional parameters, so some of them are quite complex in and of themselves. Others are useful only in certain contexts or when the local Samba server has been prepared in some way. The most important commands that are implemented are:

* CHANGESECRETPW changes the machine account password for the client on the specified server. This command is potentially quite dangerous, because it can break a system’s ability to log into a domain.

* You can view the time on the remote server with the TIME command. You can add several subcommands to modify its action: SYSTEM displays the time in a format that’s suitable for input to /bin/date, SET runs /bin/date using the time received from the remote server, and ZONE displays the time zone on the server, expressed as hours from UTC.

* JOIN [TYPE] [options] joins your system to a domain. TYPE may be MEMBER, PDC, or BDC, to specify how you’ll join the domain — in most cases, MEMBER is appropriate. You must normally specify a username via the -U parameter. This username must have administrative control over the domain. In the case of a Samba domain controller, the user can be root, if you add that account to the Samba administrative database, or it can be a user who’s been given root privileges via the admin users option in smb.conf.

* OLDJOIN joins your system to a domain using older methods. This approach requires that a trust account for your system already exist on the domain controller.

Manipulate user accounts with USER. Passing no additional parameters lists the user accounts on the server or domain. Additional options are DELETE, which deletes the specified account; INFO, which lists the groups to which the specified user belongs; and ADD, which adds a user to the system. All of these options require a username as an additional option, and some take more options to modify their operation.

The GROUP command is similar to USER, but it enables you to view or tweak group settings. Passing it no additional options returns information on groups on the server. Additional options are DELETE, which deletes a group, and ADD, which adds a group.

Typing SHARE alone displays all the shares available on the specified server. Available options are ADD and DELETE, which activate or deactive shares, respectively.

Use SESSION to learn about open sessions — connections to clients maintained by the server — with this command. Typing it alone produces a summary of open sessions. Additional options enable manipulations: DELETE and CLOSE are synonymous, and close the specified session; INFO displays information on the files opened by a client you specify.

* SERVER is a RAP command to display information on the servers in the domain. The default is to display information in the current domain, but you can add a domain name to display information on another domain if the contacted system has information about that domain.

* DOMAIN is another RAP command. DOMAIN summarizes the domains and workgroups visible on the current network or available to the server you contact.

Another RAP command, PRINTQ helps manage print queues on the server. Using it with no subcommand displays information on the queues maintained by the server. Adding LIST and a queue name lists information on jobs in a specified print queue. Adding DELETE, a queue name, and a job number deletes the specified job from the queue. (These last two options appear to be broken in Samba 3.0.0.)

The GROUPMEMBER RAP command enables you to manipulate group membership. It necessarily takes one of three commands (LIST, DELETE, or ADD) and a group name. The DELETE and ADD commands also require you to pass a username to the system.

You can change a user’s password on the remote system with the PASSWORD RAP command, which requires the username, the old password, and the new password as additional options. This command prompts for an access password, but will not prompt for the user’s old or new password if you omit them from the command line.

Typing LOOKUP looks up the IP address of the NetBIOS name you type. Additional options are LDAP, which looks up an LDAP server; KDC, which looks up a Kerberos domain controller; DC, which looks up a NetBIOS domain controller; and MASTER, which looks up a domain’s master browser.

The GETLOCALSID command is unusual because it retrieves information from a local database — in this case, the security ID (SID) of the local machine. (The SID is a unique identifier for a user, machine, or domain.)

* You can retrieve a domain’s SID and store it in the local database with GETSID.

* GROUPMAP is unusually complex. It controls the mapping between Unix groups and SMB/CIFS groups. It takes subcommands called LIST, ADD, MODIFY, and DELETE, which perform the specified actions. With most, you must provide additional parameters of the form option=value, where option is unixgroup, ntgroup, rid, sid, type, or comment, and value is a value appropriate for the setting. This command requires administrative privileges on the server to run. An example appears shortly.

An RPC command, INFO returns assorted information about the server queried, such as its domain, domain SID, number of users, and so on.

* TESTJOIN tests whether your participation in a domain is valid.

* CHANGETRUSTPW changes the interdomain trust password.

* SAMDUMP retrieves the Security Account Manager (SAM) database of the remote server, which can only be run from a BDC or PDC.

Like its namesake in folklore, VAMPIRE sucks something from another entity, but the thing it sucks is the account database — users, groups, and aliases. This command is run from a BDC and is typically used as part of a procedure to extract a Windows NT domain controller’s account database so that a Samba server can take over domain controller duties without having to recreate all the user accounts and passwords.

An ADS command, LEAVE causes the remote system to sign off of the domain to which it belongs.

STATUS displays status information on the remote system’s machine account. This information is intended mainly for developers; TESTJOIN is more appropriate for typical administrators.

You can view and modify ADS printer information with PRINTER. Using PRINTER alone displays information on the printer whose name you specify. You can also pass the PUBLISH or REMOVE parameters, which add or remove a printer to or from an AD printer listing, respectively.

You can perform a standard LDAP search on an AD database with SEARCH, which requires an LDAP search expression as a parameter. Similarly, DN performs an LDAP search on an AD database. You must pass a standard LDAP distinguished name (DN).

* Just type HELP before (or sometimes after) another command to learn more about the specified command.

These commands aren’t case-sensitive, so you needn’t be too concerned with typing everything in uppercase. (This contrasts with the parameters, which are case-sensitive.) Some commands take several subcommands or options, so by the time you type everything in, the command can be quite lengthy.

Examples of net in Use

The preceding listings of options may be overwhelming, and how you combine these commands and parameters may not be entirely obvious. A few examples should help.

First, consider a password change request:

$net -S penguin PASSWORD tux gr7f1tsy o70bgzw3

This command changes the password for the tux user on the penguin computer from gr7f1tsy to o70bgzw3. After typing this command, you’ll be asked for a password. Type the password on the server associated with the account you’re using (which need not be the same as the account whose password you’re changing).

Another common example of net in use is in joining a domain. You might do this if you’ve set up a Samba server that is not a domain controller, but when you want the system to be part of a domain. The command to do the job might look like this:

$net -s penguin -U adminuser JOIN

This command joins the local computer to the domain controlled by the penguin computer, using the adminuser administrative account. To work with a Samba domain controller, you will need to have created an appropriate domain trust account for the machine you’re adding, or at least have configured the add machine script option in smb.conf to do the job automatically. After issuing this command, you should be able to set security = domain and associated options in smb.conf to have the server defer to the domain controller for authentication tasks.

Yet another use of net is modifying the group mapping database. This database is used to map Unix groups to SMB/CIFS groups. For instance, suppose you want to create a group for summer interns on your domain. You can do so by creating an appropriate Linux group (say, interns) and then running a command like the following:

$net -s penguin GROUPMAP ADD \
ntgroup=”Summer Interns” unixgroup=interns

This command sets up a domain group called Summer Interns and associates it with the Linux group interns. Windows users who are added to this group will create files with interns group ownership on the Linux system, and access files with interns group permissions.

Overall, the net command is a powerful tool for server and domain management. It’s responsible for some of Samba 3.0′s improved domain integration features, and net will undoubtedly become more powerful and important in the future.

Learning to use this command will serve you well in managing Samba servers and clients.

Roderick W. Smith (rodsmith@rodsbooks.com) is the author or co-author of twelve books, including Advanced Linux Networking and Definitive Guide to Samba 3.

Comments are closed.