Samba and UFW

Earlier today, I found myself frustrated because I could not see my Samba shares when browsing my network in Nautilus. It turned out to be a firewall issue.

From The Official Samba 3.2.x HOWTO and Reference Guide:

Many people use a firewall to deny access to services they do not want exposed outside their network. This can be a good idea, although I recommend using it in conjunction with the above methods so you are protected even if your firewall is not active for some reason.

If you are setting up a firewall, you need to know what TCP and UDP ports to allow and block. Samba uses the following:

Port 135/TCP - used by smbd
Port 137/UDP - used by nmbd
Port 138/UDP - used by nmbd
Port 139/TCP - used by smbd
Port 445/TCP - used by smbd

The last one is important because many older firewall setups may not be aware of it, given that this port was only added to the protocol in recent years.

When configuring a firewall, the high order ports (1024-65535) are often used for outgoing connections and therefore should be permitted through the firewall. It is prudent to block incoming packets on the high order ports except for established connections.

In order to open these ports, you must run the following commands:

sudo ufw allow proto tcp to any port 135 from 192.168.1.0/24
sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24

Of course, you should replace 192.168.1.0/24 with the appropriate IP/CIDR subnet for your network.

Generally speaking, I find it useful to add rules by service whenever possible. For example, if I want to open up ports for AOL/AIM, I can add this rule:

sudo ufw allow aol

The syntax is much less verbose and thus easier to remember. You can see a list of all service names by doing

less /etc/services

Not everything will be listed, but most common services are.

Samba Server

A few weeks ago, I decided I would make my Linux box the file server for my network. Since shared files and folders must be accessible from Windows and Mac machines, Samba seemed like the best cross-platform solution.

The installation turned out to be a relatively painless process. Here's how I did it on Ubuntu Dapper.

First we need to install a couple of packages:

sudo apt-get install samba smbfs

I'm not positive that smbfs is required for the Samba server, but most guides recommend it. So I'll follow their lead.

A vanilla install of Ubuntu should be properly configured for Samba, so there's not much else to do besides add to the list of Samba users. In the second line, you may replace sudo with gksudo if you prefer one of the GTK editors, like gedit. There may be an analogous command for KDE apps, but I rarely run them as superuser, so I wouldn't know.

sudo smbpasswd -a system_username
sudo vi /etc/samba/smbusers

where system_username is the user you wish to add as a Samba user. You will be prompted to create a password. This is the password the user will use to connect to Samba shares.

We must add the following line to /etc/samba/smbusers:

system_username = "network username"

Note you may make the network username different from the system username. There are a variety of reasons you might do this. For example, the user may have a different name on the machine from which he will connect to the Samba shares. You might alternately designate a unique username as a security measure.

To set up your Samba shares, you must either edit /etc/samba/smb.conf by hand or install SWAT, which supposedly does the dirty work for you. Either way, the lines you add to the file should look something like this:

[music]
  path = /windows/Music
  browseable = yes
  writeable = yes
  valid users = jlz27
  admin users = jlz27

I'm typing this from my PowerBook, running Mac OS X 10.4.10, while connected to one of the Samba shares. So it definitely works.

Thanks, Jörg Höhle!

Count on a guy with umlauts in his name to find a fix for the problem with displaying special characters in filenames, mentioned in my previous entry on Samba. Here's the bug report he submitted:

Hi,
The Gnome desktop network mounter, the smbclient and a native MS-Windows-2k manage to display Umlaute in filenames from a Linux Samba server just fine.
Using smbmount however, an ls command merely displays "?" in lieu of the Umlauts in concerned filenames.

Trying out many combinations of iocharset and codepage options I finally got Umlaute to display fine as follows:
mount -t smbfs -o username=xyz,uid=hoehle,gid=hoehle,file_mode=0640,codepage=cp437,
iocharset=utf8 //10.0.0.79/hoehle /mnt/samba
which seems equivalent to:
smbmount //10.0.0.79/hoehle /mnt/samba -o username=xyz,uid=hoehle,gid=hoehle,file_mode=0640,codepage=cp437,
iocharset=utf8

codepage=utf8,iocharset=utf8 produces :x84 :x9a for some umlauts in ls output.
codepage=iso8859-1 produces :0084 :009a instead.
codepage=cp437, utf16 or utf-16 produce "?" instead.

codepage=cp852,iocharset=utf8 finally works.
codepage=cp437,iocharset=utf8 also works.
Note that the iocharset option must be given as well.

man mount on fat says: "By default, codepage 437 is used."
For consistency, I'd expect similar defaults with smbfs.
Similarly, I'm quite surprised that iocharset=utf8 is needed. I'd thought most Linux software did the transition to UTF-8 these days (since Hoary, Warty was not fully there).

smbfs should be as easy to use and provide similar defaults as all of smbclient, the Gnome desktop and MS-Windows do.

Affects: Dapper with http://wiki.ubuntu.com/LaptopTestingTeam/
FujitsuLifebookC1110

Regards,
Jörg Höhle

In case you didn't read the whole report, I'll sum it up. If you mount your share with the options codepage=cp437,iocharset=utf8, for example, special characters like the umlaut will display correctly.

I used codepage 437 because it's the default for FAT and VFAT filesystems. I haven't tested it with codepage 852 nor do I plan to do so.

If you have success with another codepage option, I invite you to post your experience here so other readers may benefit from your efforts.

Só Danço Samba

I ought to mention that I've successfully mounted Windows shares using the following form:

sudo mount -t smbfs //HOSTNAME/SHARENAME /MOUNTPOINT

That's the Server Message Block (SMB) file system, which is what modern Windows OSes use to share files and printers. So if you wanted to mount a share called "Music," located on a server with IP address 192.168.1.100, to local directory /media/Music, you would enter

sudo mount -t smbfs //192.168.1.100/Music /media/Music

and then you'll be able to access the files as though they were stored locally. Don't expect playback of high-quality video files to go smoothly, though. It's like streaming without a buffer, so you'll probably drop a lot of frames. For almost anything else, it's great.

Mac OS X can mount shares from the Finder GUI. Go → Connect to Server… or the ⌘K shortcut opens a window that will let you specify a server address. You can also bookmark frequently used servers. To connect to the server from our previous example, you would type smb://192.168.1.100 and click Connect. In my experience, you can also use the computer name. My Windows file server is named "cryptkeeper," so I connect using smb://cryptkeeper, which defaults to the guest account. If you want to specify a user account for login, use smb://USERNAME@HOSTNAME instead.

(Note that you must create the local directory before mounting the share. The mount command won't create it automatically.)

I still need to play around with the mount options, since Ubuntu doesn't seem to recognize the accented letters in certain filenames, e.g., Hüsker Dü, Múm, Röyksopp. Maybe it would help to mount the share with a different character set; UTF-8 springs to mind. I'll probably have to use smbmount if I want to do that, though. I seem to remember reading that mount doesn't actually know anything about smbfs. If I find more info on this, it will be posted here.

Dapper worthy of long-term support

I decided to upgrade my desktop OS to Ubuntu 6.06 LTS "Dapper Drake." The LTS stands for long-term support. That is, Canonical has pledged to provide support for Dapper for three years from its release date. I guess, with Dapper, they knew they had a keeper.

Set aside for a moment the fact that the install CD includes a video of an interview with Nelson Mandela, in which he expounds on the meaning of "ubuntu." It's over the top, if you ask me.

This is solid distro. The CD includes all the necessary packages for a working GNOME desktop environment, plus a wisely limited selection of popular applications. This design decision stands in sharp contrast to the one manifest in Debian, in which the list of basic desktop packages is horribly bloated. (That this is a long-standing criticism of Debian doesn't make it less valid.) I was pleasantly surprised to find that Ubuntu installed the desktop environment and only a small handful of applications, giving me the opportunity to choose what else, if anything, to install.

What's more, the hardware detection went almost flawlessly. I added aic7xxx=no_probe to the boot options, and it "just worked." I didn't even have to edit my xorg.conf with the horizontal sync and vertical refresh rates. The optimal settings for my monitor, a Dell 1703FP, are 1280 x 1024 @ 60Hz. It's set at 75Hz, but I'm fine with that.

It was also easy to add repositories. I went to UbuntuGuide.org and overwrote my sources.list with the one provided there. It worked like a charm; I got all the packages I needed and then some.

Last but not least, I can access the shared files/folders on the other desktop on our network, which runs Windows XP. I connect to smb://guest@HOSTNAME/SHARENAME. The hostname can be replaced with the server's IP address. This has been reported to work in some situations where the hostname isn't recognized. It works both ways on my network. There must be a way to connect using a password-protected account, but I haven't investigated this thoroughly.

So I'm feeling quite satisfied. However, to be fair, I do have a small handful of grievances with this release, which I may as well air here (in bullet points because I'm short on time):

• I didn't see option to set the root password during the install process. I need to look into this because I'm worried the default is something asinine like "admin". Luckily the installer adds your first user account to the list of sudoers, so you're still able to edit system internals.
• If you decide not to partition your hard drive manually, the automatic partitioning scheme available puts everything—except the swap, of course—on a single ext3 partition. By contrast, Debian lets you choose between three schemes: a single partition, a separate home partition and separate partitions for almost everything.
  
• The Ubuntu splash screen displays at some weird resolution, like 720 x 400. It doesn't seem to matter how you tell the live CD to set it. If you can specify a resolution for the splash when running from the CD, there must be a way to do it when running from the hard drive. This is a relatively low priority, though.
  
• Emacs still isn't included in the desktop packages. This is an almost trivial issue, but one that continues to irk me.

With any other release, there would be many more bullets above. I'd say that's a strong argument in favor of Dapper and its potential for longevity.

Image from Nuxified.org

Mounting a FAT partition in Ubuntu

Having a FAT32 partition to allow read/write access from both Windows and Linux can be extremely useful. Windows XP makes accessing the partition easy, since the OS mounts all available drives on login. Ubuntu, by contrast, will not mount the partition unless specifically instructed to do so. You could do this manually every time you start a new session, but I wouldn't recommend it. The addition of one line to /etc/fstab tells Ubuntu to automatically mount the FAT32 partition at the start of a new session. I made a backup copy of /etc/fstab before editing it.

$ sudo cp /etc/fstab /etc/fstab.bak
$ sudo gedit /etc/fstab

I opened a different terminal tab (Ctrl+Shift+T) and looked up the device name for the partition.

$ sudo fdisk -l

That's an L, as in Lima. Then I added the following line to the end of the file.

/dev/hda5 /media/windows vfat user,iocharset=utf8,umask=000 0 0

With this change, Ubuntu will mount /dev/hda5 to /media/windows and make it visible in computer:/// each time the OS boots. iocharset and umask determine the character set and permissions of the partition respectively. Note that some Linux distros won't allow you to mount a FAT32 partition with the UTF-8 character set because it makes file names case sensitive. Ubuntu displays a warning but doesn't stop you. I wanted to verify that the change had the desired effect without rebooting.

$ sudo mount -a

If I had entered sudo -s -H at the start of the process, I would have been running the commands as root user and would not have had to preface each one with sudo. I personally dislike switching to root unless absolutely necessary. As root user, minor typos can spell major problems.

What do we have in store for the next episode of Live Gnude Girls?

• Install missing plug-ins for mozilla-firefox.
• Optimize NVIDIA performance.
• Import my music collection—in Ogg Vorbis whenever possible.
• Install the necessary libraries for DVD playback.

In the meantime, I ought to get some rest.

Inaugural Address

When I started using GNU/Linux it didn't take long to realize it's best to keep a record of all changes I make to my OS. So I created this blog. If I do something that breaks my installation, it may enable me to undo the damage. Since I just reformatted my hard drive and effectively started from scratch, this seems like a particularly opportune time. Let's take inventory.

• Microprocessor: Intel® Pentium® 4 3.00GHz
• Memory: 1GB PC3200 400MHz DDR SDRAM*
• Chipset: Intel 865G
  
• Hard Drive: Western Digital® Caviar® WD800BB 80GB 7200 RPM
• Optical Device: Samsung CDRW/DVD SM-348B
• Removable Media: 3.5" Floppy Drive
• Audio: Integrated AC '97 Audio
• Video: 64MB NVIDIA^TM GeForce4® MX 440 AGP 8x*
• Monitor: Dell 1703FP
• Network Interface: Intel 82540EM Gigabit Ethernet

* Not original hardware

Now let's check out the partition table.

Device	Boot	Start	End	Blocks	Id	System
/dev/hda1		1	5	40131	de	Dell Utility
/dev/hda2	*	6	5227	41945715	7	HPFS/NTFS
/dev/hda3		5228	9172	31688212+	f	W95 Ext'd (LBA)
/dev/hda4		9173	9726	4450005	83	Linux
/dev/hda5		5228	9143	31455238+	b	W95 FAT32
/dev/hda6		9144	9172	232911	82	Linux swap / Solaris

I've always assumed the Dell Utility partition has the potential to perform some important function, so I never mess with it when I reformat. All the other partitions are fresh. Windows XP requires a large (40.0GB) NTFS partition. The OS is relatively compact, but Windows applications tend to be space hogs. I booted from the Windows CD (F12 at the BIOS splash screen) and created and formatted the necessary partition. Then I ran Windows to install drivers and essential applications. I also used the Disk Management utility to create an extended partition with one 30.0GB FAT32 logical drive and roughly 4.5GB of unpartitioned space. It was time to install Ubuntu Linux 5.04, my weapon of choice. I booted from the Ubuntu CD and ran the installer with the default options. Surprise! The installer seems to have detected all the hardware without my help. That's quite a relief.

In our next episode, I will attempt to get this battle station fully armed and operational.