If you recently switched from Microsoft Windows to one of those new shiny, uber-geek 27" iMacs like I have and your beloved ones or roomies are still running on Windows boxes but you still want them to access your shares like movies, music and files - then you have a problem.
Yes, although Microsoft has officially fallen behind Apple in computing, there are people out there that did not make the switch to the new No.1 already. Well and for those Windows users in your network we have to emulate Window's proprietary Server Message Block called SMB.
If you think Windows speaks Unix, you obviously overslept the last 30 years of Microsoft's "competitive strategy", so it all boils down on how well your Mac -read Unix- can speak Windows. As it turns out it can't, because Microsoft doesn't like Unix. They want competition to stay out of Windows.
That is why the European Union made Microsoft let others use their network protocols by law. In 2007 the European Court of Justice forced Microsoft in working together with the Samba Project and the Protocol Freedom Information Foundation. Just some hard facts for all you Microsoft fanboys out there.
"The agreement allows us to keep Samba up to date with recent changes in Microsoft Windows, and also helps other Free Software projects that need to interoperate with Windows"
Andrew Tridgell (creator of Samba)
So thanks to good ol' Europe Windows users are allowed to surf your Mac Shares. Oh the irony. Enough politics, let's get our hands dirty into yummy Information Technology stuff. The following tutorial should help you to achieve your goal of free and enjoyable Operating System interoperability.
We will achieve this by integrating something called User Level Security with encrypted passwords. Samba can also emulate a fully functioning Windows Domain Controller and can verify credentials against a Microsoft Kerberos Password Server; but since we only want basic security therefore the User Level Security Level will do.
Let's start on your Mac and go to your System Preferences Dock Icon, then click Users and add the exact same username you are using on your Windows Box.
Now open three terminals on your Mac and put them next to each other.
In the first one enter:
mac:~ user$ tail -f /var/log/samba/log.smbd
This is some Unix trickery to make sure you monitor any attempts to access your Mac Computer while you fiddle with this tutorial.
In the other Terminal hack:
mac:~ user$ chmod -R 754 theShareDir
Where theShareDir should equals the directory you want to share with Windows. The value 754 means full rights for the owner, read and execute rights for the group, in which your freshly created user should be part of. The last number grants read rights for others. You could use a zero in order be absolutely strict here and deny access to unauthorized users.
There are chances you will need admin rights to perform the previous action. In order to gain admin rights, elevate your user with sudo.
mac:~ user$ sudo
If you did not modify your user account to work with sudo yet this is a good time to do so by adding your main user to the sudoers file with
mac:~ user$ sudo visudo
Add this line:
username ALL=(ALL) ALL
Leave the terminal open in case you need to modifiy more rights.
In the third terminal we will do the main task and modify the Samba configuration files. Let us start by typing in
mac:~ user$ sudo vi /private/etc /smb.conf
Omit the space after /etc. When I put a slash behind etc I got a 501 by apache when publishing this post. Anyway, I prefer vi for editing files since I invested time to learn it and then it rocks in my opinion.
Check out this cheat sheet of vi:
Pretty nice eh? Back to work, let's make sure you have
set to yes since we want Samba to emulate Windows password hashes at least in versions greater than Windows 95.
Also set wide links to yes, in case you have symbolic links in your shares. I set browsable to yes, in order to browse shares via Window's Network Places Icon, although that option did not work.
Now if we want to give your new Windows user access to his own home directory on the Mac we have to add a homes section. I found this option to be extremely useful. The Windows user would have write access to his public folder on my iMac and even my Mac admin user is not allowed to view his files. I would have to elevate to root first. Now - that's some serious UNIX security there.
[homes] comment = Home Directory browsable = Yes read only = No create mask = 0750 directory mask = 0750 acl check permissions = no nt acl support = no
The read only option is set to No in order for the Windows user to have write access to his home directory located on your Unix filesystem.
Create Mask are the default rights which the files are given if the Windows user creates new files. The rights for created directories will be defined by the directory mask parameter. The last two lines disable the use of Windows Access Control Lists permissions.
Now save the file and do a
mac:~ user$ sudo cat /var/db/smb.conf
There you have it! You will see what directories are currently beeing shared by Samba. This is most important. By the way, if you came this far, you earned yourself the Meshfields Certified Unix Administration badge. I will get back to you on that one.
We will add the directory of our liking via the Mac system configuration dock icon to give us a well deserved break from the terminal.
Activate sharing of files there. Add the directories you want to share with the little plus icon. Then add the User we created earlier. The MacOSX username and password -the so called credentials- used here must be identical to the Windows username in order for Samba to verify against the windows' user credentials in its own internal database.
Let's finish this -we are almost there. Wait one minute in order for Samba to reload its config file. To force this you could send a SIGHUP to the samba daemon with
mac:~ user$ sudo kill -1 PID-of-smbd
Put in the PID of the samba daemon, you can find it out by typing in top. The abbreviation PID stands for Process ID in case you wonder.
After all this fiddling it is a very wise choice to let Windows do what it does best since the dawn of DOS 1.25.. -Reboot. As we all know Windows likes rebooting like a little cat likes playing with a ball of wool.
Yes, you could restart the network stack, but let me save that for another blog post. Now in Windows right-click on
My Computer -> Map Network Drive
If you are new to Windows Networking read this: KB 308582
Well done! You now posess a fully working interoperable network without any DNS server or other expensive hardware. And it's secure too. Weather this worked out for you or not, I would like to hear about the outcome or any suggestions in the comments