Configuring Samba

D

DevynCJohnson

Guest
A Samba server is a Linux system that provides the SMB and CIFS networking protocol as well as various services. With the many provided services and features, admins will need to configure the server for their needs. Understanding how to configure Samba and the various options will help an admin quickly configure the system.

The configuration file for the Samba server is usually /etc/samba/smb.conf. This configuration file uses "#" and ";" as comment markers. So, placing a comment mark in front of a setting will make the setting use the default of not be set.

To configure Samba
, edit the config file directly or use a GUI frontend. Two examples of GUI frontends include "system-config-samba" (the package name) and Gadmin. "system-config-samba" uses a simple interface while Gadmin is more advanced and offers more choices.

samba-config.png


Various headers are used in the configuration file. The settings under/below a heading apply to the named object. "[global]" contains settings that pertain to the Samba server and services in general. The other headings are specific to various shares that the server offers. Some optional headers that do not pertain to shares include "[homes]" and "[printers]".

The "[homes]" header is used to provide the user with their home folder. The home folder can be on the server or the user's local home directory on the client machine. For example, when logging in from a dummy-terminal (a computer with a monitor and input devices), the user can access their home folder that is on the server. Alternately, on a regular/complete computer/client the server can point to the user's home folder that is on the client or give the user another home folder that is on the server. For illustration, the server may be set to give users a home folder that is on the server, but the users already have a home folder on the client. Thus, the client-side home files are only accessible on that particular client machine. Users that login to another machine can still access the "global home directory" provided by the server. This is helpful to admins or IT Support Technicians that may need to use a client that they normal do not use (maybe to fix the client machine).

WARNING: For security purposes, do not allow guest access to the "homes" share, or else anyone can access the files of any user's home directory.

The printer-sharing services are controlled with the settings under the "[printers]" header/section. When specifying a path, point to a spool directory with an active sticky-bit.

The settings are on the lines after a specified header and are in the form "OPTION = VALUE". One option per line, and the value must be on the same line as the option. However, using a forward-slash (\) allows the next line to be used as if it were the same line as above. Using the forward-slash in this configuration file is the same as using it in a terminal. Indentation is purely optional as well as line spacing. The options and values are case-sensitive and must be typed correctly. Otherwise, a syntax error will occur or a warning will be generated.

Under the global header, admins will likely see the following settings.

invalid users
- List the users/processes that may not access Samba's services and shares. Some admins list various daemons.

admin users - List the usernames of the admins.

disable netbios - (yes/no) "yes" will disable NetBIOS and "no" will allow it to be used.

workgroup - Name your workgroup. Workgroup names must be different from the NetBIOS names.

netbios name – Set NetBIOS name of the server.

server string – The nickname of the server.

wins support - (yes/no) "yes" will make Samba act like a WINS server.

dns proxy - (yes/no) "yes" will make the system search a DNS server for the NetBIOS name.

log level - 0 disables logging and 10 is max logging. To specify a particular sub-component to log, include the name and number separated by a colon. Example - "log level = 2 quota:7 auth:5 winbind:3"

syslog only - (yes/no) "yes" will make Samba messages be logged by syslog in the syslog logs rather than Samba creating its own logs.

server role - Specify how the Samba server should behave. A value of "standalone" will make the server manage all of the services. "active directory domain controller" will make the Samba server act as the active directory. Other values are available to achieve various setups.

unix password sync - (yes/no) "yes" will make the server keep the Unix user passwords in sync with the Samba passwords.

usershare allow guests - (yes/no) "yes" will make shares created by users accessible to guests.

security - When set to "user", users can gain access to shares by typing a registered username and password. If the value is "domain", then a Domain Controller must authenticate the user. Other values exist.

encrypt passwords - (yes/no) "yes" will enable encrypted services.

guest ok - (yes/no) "yes" will allow guests. This means passwords and usernames are not required.

load printers - (yes/no) "yes" will cause the printers to be loaded for browsing by default.

printing - Specify how the printing information is read by the system. Accepted values include BSD, AIX, LPRNG, PLP, SYSV, HPUX, QNX, SOFTQ, CUPS, and IPRINT. Separate multiple values

printer name - Specify the printer's name.

print - Specify the printer commands

disable spoolss - (yes/no) "yes" will disable the printing services.

server max protocol – Specify the highest version of the SMB protocol to support. Accepted values include LANMAN1, LANMAN2, NT1, SMB2 (and sub-versions), and SMB3.


To declare various settings for shares, type the name of the share in brackets. In the following lines, define the needed options and values.

Code:
[ProgDocs]

# optional description
   comment = Programming Documentation
# location
   path = /mnt/server/documentation
# can users write to this share?
   writeable = no
# can users only read file (no writing)
   read only = yes
# “read only” and “writeable” are opposite options
# “read only = yes” is the same as “writeable = no”
# can users see the contents of this share?
   browseable = yes
# who may access this share? (list users and @groups)
   valid users = bob joe bill @group1
# who may write to this share? (ignores “writeable”)
   write list = bob joe
# who may read this share?
   read list = bill @group1
# Allow guest access?
   guest ok = no
# Is this a public share? (same as “guest ok”)
   public = no
# Is this share currently available?
# (admins can temporarily disable a share)
   available = yes

Many other parameters and options are available, but these are the most important ones that many admins will likely use. For a complete list of options and values, view the official Samba documentation.


After making changes to smb.conf, verify that no syntax errors are present. Use the "testparm" command in a terminal. Any errors and warnings will be displayed in the terminal. Make any repairs as needed. After changing and fixing the settings, the Samba daemon must be reloaded. Depending on the system, type "smbd reload", "service smbd restart", "restart smbd", or use the mentioned commands with "samba" instead of "smbd". Root privileges are required to restart the Samba daemon. Also, related daemons may need to be reset like “winbindd” and “nmbd”.

To add users and give them a Samba password, run the "smbpasswd" command. Type "smbpasswd -a USER" to add a username. To enable the user, type "smbpasswd -e USER".

To access the Samba shares, use a file manager or a web browser. The format used to specify a server's address is "smb://SERVER_IP_OR_NAME/" on Linux systems. Windows users must use the format "\\SERVER_IP_OR_NAME\".

https://www.samba.org/samba/docs/
https://www.samba.org/samba/docs/man/manpages/
https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
 

Attachments

  • slide.jpg
    slide.jpg
    39.1 KB · Views: 8,186

Members online


Top