News Stay informed about the latest enterprise technology news and product updates.

Managing Samba: Remote GUI tools

Samba team co-founder John H. Terpstra explains how to use graphical interface tools to manage Samba across a large corporate network.

John H. Terpstra, site expert

While there are many tasks that can be performed from a command line, we no longer live in the Dark Ages, back when there were no graphical user interfaces (GUIs). There are graphical tools that can be used to manage Samba across a large corporate network. This tip addresses that subject. Are you ready?

Where eagles soar

Explore remote management options, and you'll find that neither free nor commercial Windows network management tools suit all IT shops' needs. There are no silver bullets. If your goal is to find a universal network management tool that will permit you to meet all site needs, no matter what, the news is not too bright.

While your thoughts may have been to soar with the eagles, you may have to content yourself with a more mundane solution. On the other hand, if your objective is to find a tool that may save a little hassle and make it possible for you to delegate some tasks to departmental managers, there is some good news.

Basic management tools

The Samba PDC (primary domain controller) configuration that was used in the last tip is rather simple. It uses the tdbsam binary database in which to store the SambaSAMAccount information.

More on Samba:

Configuration with the net utility

Windows network identity basics

Configuration for remote management

The tdbsam passdb backend is unsuitable for use with a backup domain controller (BDC). Unix user and group accounts must be resolvable either from the /etc/passwd and /etc/group system account files or via the name service switcher (NSS) facility.

The fact that tdbsam does not permit operation of the PDC with a BDC means that this back end is limited to those sites that either have few users or many potential users at one location. The largest site I know that uses the tdbsam back end has 4,500 users. This back end can be used where the network is multi-segmented, but then fast WAN bandwidth is essential; otherwise, the infrastructure would collapse as a result of network logon failures.

With these provisos out of the way, let's consider remote network administration needs. Where this type of network configuration is in use, the most likely need is to permit delegation of the ability to join workstations to the network as well as user and group accounts. If care and attention is given to the design of file storage layout, it may not be necessary for departmental or divisional managers to create, delete or change share configurations.

In this situation, the Windows NT4 Domain User Manager will most likely be a sufficient tool for remote network management of users and groups. The NT4 Domain Server Manager, or the MMC Computer Management Console, could be used to administer shares and computers.

The NT4 Domain User Manager

In Figure 1, the Domain User Manager could be used to make Alex Monteiro a member of an additional group. It can also be used to change the primary group he belongs to. This is an example of a user account change.

Figure 1: Changing group membership

Figure 2 demonstrates the ability, using the NT4 Domain User Manager, to change the users who are members of a particular group.

Figure 2: Manipulation of group membership

It is increasingly necessary to limit user network access times and days. Figure 3 illustrates the capability to do this using the Windows NT4 Domain User Manager. This screen is accessed by clicking on the user account that must be managed.

Figure 3: Setting network access time limits

Domain access policies can also be set using the NT4 Domain User Manager. An example of policy setting is shown in Figure 4.

Figure 4: Domain access policy setting

Using the NT4 Domain Server Manager

The NT4 Domain Server Manager can be used to manage domain computer accounts, access controls on shares (share level ACLs) and to create shares. The example shown in Figure 5 demonstrates the settings of share level ACLs. In NT4, this is referred to as the setting of Share Permissions. The Share Permissions configuration acts as a filter that controls who can connect to the share. This ACL information is stored in the Samba file /var/lib/samba/share_info.tdb; it is not set in the smb.conf file.

Figure 5: Managing Share Permissions (ACLs)

A share can also be created using this tool. For that operation to work, the smb.conf file must define the script that should be called to add, change or delete a share. Example scripts are provided in the Samba source code tarball in the examples/scripts/share directory.

Figure 6 demonstrates the use of the NT4 Server Manager tool to create a new share. The example scripts that are included with Samba-3 DO NOT automatically create the new directory; that is a responsibility the administrator must take care of either before or after creating the share.

Figure 6: Adding a new share

The Windows XP MMC Computer Management Console

The Windows 2000/XP Professional MMC Computer Management Console can be used to manage share level ACLs as well as file system permission settings. This use of this tool to create a new share is shown in Figure 7.

Figure 7: Use of the MMC Console to create a new share

In Figures 6 and 7, it should be noted that the Samba UNIX path must be entered using Windows file system semantics. The path c:dataarchive will be automatically converted to the Unix semantics /data/archive/.

So far, it has been demonstrated that a Samba domain can be managed using the NT4 Domain User Manager and the NT4 Domain Server Manager. At this time, it is necessary to point out that these tools have their limitations when used from Windows 2000 or Windows XP Professional. That limitation is brought about because Microsoft has changed the underlying remote procedure call architecture in these products so that these tools can no longer be used to manage user rights and privileges from the later generation Windows platforms.

The NT4 Domain Management tools can be obtained from Microsoft's Web site. Just search for SRVTOOLS.EXE, download them and execute the file in the directory in which you want them to be installed.

There exists an equivalent tool called the Nessus Toolkit that can be installed on a Windows 9x/Me client. This tool can be used to manage all settings including user rights and privileges.

The NT4 Domain User Manager and the NT4 Domain Server Manager can be used, regardless of the passdb backend that Samba is using. However, sites that are using an LDAP directory to store and manage network users and groups will almost certainly desire an LDAP directory management tools that more succinctly manages the LDAP directory.

Administrative tool preferences are particularly personal. I have met administrators who prefer to use Webmin to manage the Samba configuration, user and group management.

There do not seem to be many today who make use of Samba's SWAT (Samba Web Administration Tool). SWAT was originally developed for the Samba-2 series.

LDAP Directory Managers

Just mentioning an LDAP directory browser is often enough to evoke a reaction. That is really just too bad, because directory browsers serve a very useful purpose, particularly for those who have a profound appreciation for the power they offer. Admittedly, not all LDAP browsers are created equally!

You may wish to check out the full range of open source offerings, or you may simply prefer to purchase a commercial tool set; the choice is yours. The following are LDAP directory browsing tools I find useful:

Name Source URL OS Platform Language
LDAP Browser Any Java
LDAP Admin Win32 Native EXE
phpldapadmin Web server PHP
Directory Administrator Linux + BSD C
GQ Linux + BSD C

Of the above, it would appear that GQ and Directory Administrator are no longer actively maintained. GQ is current in its architecture, but Directory Administrator does not fully support recent releases of OpenLDAP. The other tools are currently active projects.

There are many other choices in LDAP directory browsers. But as useful as they are to the administrator who manages LDAP directories that span a complex array of services and purposes, the use of a more work-flow or task-oriented tool is often preferred.

There are three tools that outshine the rest where it pertains to managing a Samba-3+ LDAP environment:

Name Source URL OS Platform Language
LAM (LDAP Account Manager) Web server PHP
IMC (Idealx Management Console) Web server Perl

The LDAP Browser can be used to view and edit directory information, as is shown in Figure 8. The LDAP Browser lacks the facility to perform standard account operations without exposing information that a human resources manager or a departmental head would not need to know.

Figure 8: LDAP Browser showing a user account

Compared to the LDAP Browser, the LDAP Admin tool for MS Windows skillfully bridges both worlds. It looks and feels like LDAP Browser, but has added utilities that are more task-focused. Figure 9 provides a basic overview of what this tool looks like; but in Figure 10 you can see how it adds the nice touch of removing the complexity of having to deal with specific LDAP entities when adding a user account. It has this same smart touch for all management tasks.

Figure 9: LDAP admin basic view

Figure 10: LDAP admin create new user account

Although these tools look neat, they are oriented towards the more technically-competent directory administrator. There are a few tools that are designed to remove the appearance of being for the LDAP guru and that have a stronger task orientation. One example is LAM, the LDAP Account Manager. An example showing a partial list of users is given in Figure 11.

Figure 11: LDAP account manager user list

On the other hand, if you are using Samba-3 + LDAP, and have chosen to use the Idealx smbldap, Perl-based scripts, to permit Samba to interface to with the LDAP directory, you may choose to use the Idealx Management Console with the SambaConsole plug-in. Figure 12 presents a typical IMC console.

Figure 12: IMC user account console

Commercial utilities

It is good to see the number of companies that are providing tools and utilities to ease and facilitate the deployment and management of Samba-3. If your interest is in finding commercially-supported and/or commercial tools, check the Samba Website's vendors section and the GUI section.

Looking for more tools of convenience? Check out the following Web sites: QCD Interstructures; Vintela; and Centeris.


A detailed overview has been provided demonstrating how Samba-3 can form part of a fully integrated network management infrastructure. The series of articles now completed has shown how Samba-3 user and groups and Windows clients can be fully integrated. The documentation explained how security identifiers are handled across the disparate platforms, how user rights and privileges are implemented using Samba-3, the use of basic command-line management and configuration tools, how to create a basic smb.conf file for a PDC and how it is possible to manage the whole show using some simple as well as sophisticated GUI tools. Enjoy!

To those who have provided feedback, I offer a world of thanks.

This article originally appeared on

About the author: John H. Terpstra is chief technology officer at PrimaStasys Inc., and a member of's Editorial Advisory Board. He is author of the new books, Samba-3 by Example: Practical Exercises to Successful Deployment, 2nd Edition and The Official Samba-3 HOWTO and Reference Guide, 2nd Edition.

Dig Deeper on Windows client management