| The Unofficial Samba HOWTO | ||
|---|---|---|
| Prev | Next | |
"How do you power off this machine?" --Linus Torvalds, when upgrading linux.cs.helsinki.fi, and after using the machine for several months
The smb.conf(5) file controls the behavior of Samba. By default, it's not created, so you'll have to make one up. Some examples are provided later on in this chapter. However, if you're going to run a Samba server, it's critical that you know where this configuration file is and how many unnecessary duplicate copies of this file exist. Common situations include someone installing Samba on a machine that had left over configuration files from a previous version of Samba. Which smb.conf file is the Administrator supposed to edit? Which one will Samba pay attention to? I think you get my drift. To make sure you're in the clear, run the following command as root:
# find / -name testparm -exec ls -Fla {} \;
-rwxr-xr-x 1 root root 440268 2004-02-09 09:19 /usr/bin/testparm*
If all goes well, only one file will show up. Why are we searching for testparm(1) instead of smb.conf(5)? By default, no smb.conf configuration file is installed with Samba, but testparm (which checks the syntax of your smb.conf file) is. So if you've just installed Samba on a system with an existing version of Samba on it, you might have duplicate configuration files located in odd locations you'd never expect. If you find more than one testparm file, you'd better determine why this is and take corrective action before proceeding!
Now that we know where our testparm(1) file is located, let's run it:
# /usr/bin/testparm
Load smb config files from /etc/samba/smb.conf
params.c:OpenConfFile() - Unable to open configuration file "/etc/samba/smb.conf":
No such file or directory
Error loading services.
Whether this gives us an error message or not is not the point; what's important is the first line of output that we receive. In this case, we have our answer: Samba will look for the smb.conf(5) file in /etc/samba/smb.conf. This is where you should create/edit your smb.conf file. This is probably the single most frequently asked question about Samba -- where should my smb.conf file be located?
On our public webserver at Human Resources, we allow our staff the ability to edit certain files. Here's our actual configuration along with rationale. Hopefully it will give you an idea or two:
[global]
# Reduce the overhead that Samba uses to scan for timeouts
change notify timeout = 300
# Open files with no connections are closed after 15 minutes
deadtime = 15
# We're not really in a domain; this just saves us the unnecessary
# log warnings from nmbd about being unable to contact a domain master
domain master = yes
# Files that have UNIX permissions that prohibit access are hidden from users
hide unreadable = yes
# We only allow access from these hosts
hosts allow = 192.168.0.5 192.168.5.82 127.0.0.1
# All other hosts are denied access
hosts deny = ALL
# The root user and the wheel group are not allowed access
invalid users = root @wheel
# All our computers are Windows XP
lanman auth = no
# We don't have any OS/2 clients
lm announce = no
# We log all activity to a single file for regular review
log file = /var/log/samba.log
# We want a minimum level of logging
log level = 1
# Again, all our clients are Windows XP
min protocol = NT1
# What NetBIOS name does our server call itself?
netbios name = HR
# We rely on username/password access methods
security = user
# We're (mostly) on a Local Area Network, so these settings are appropriate
socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Do we provide WINS support?
wins support = yes
# What NetBIOS name does our server use for our domain/workgroup?
workgroup = HRWEBSVR
[template]
# We use a template so that we can repeat some of these values across multiple shares
# Testparm complains if this section has no path, so we give a default dummy path
path = /dev/null
# Many times a user will ask us who last changed a file and when. This allows us to
# record this information in the UNIX filesystem despite being anti-POSIX
dos filetimes = yes
# By default, all write access is created with the following mask. Note:
# The use of 7 instead of 6 is intentional -- the extra bit is used by Windows
# clients - go figure!
force create mode = 0774
# All directory creation is made with this UNIX mask.
force directory mode = 0775
# Regardless of the UNIX group a user is in, all file activity is done as this user
force group = +hrgroup
# The following files are hidden by default from the client
# In this case, any Windows XP preview files for icons are hidden for cosmetic reasons only
hide files = /Thumbs.db/
# The following files are not allowed access of any kind. This allows us to maintain PHP
# pages without being modified by non-programmers (*.php). Cascading style-sheets aren't
# accessible either (*.css), along with some other webserver-specific files (favicon.ico,
# robots.txt, & .htaccess). The remainder of the list prevents the creation of any of
# these (usually) harmful files -- usually this would happen if a PC got infected with a virus --
# we don't want to have any of these files created on our webserver whatsoever. The last item
# (*.{*}) prevents any registry specific files from being created as well.
veto files = /*.css/*.php/favicon.ico/robots.txt/.htaccess/*.bas/*.chm/*.cmd/*.com/*.cpl/*.crt/*.exe/*.hta/*.ins/*.isp/*.jsp/*.jse/*.msi/*.msp/*.mst/*.pl/*.reg/*.scr/*.swf/*.sct/*.shs/*.url/*.vbe/*.vbs/*.vb/*.wsc/*.wsf/*.wsh/*.ws/*.dll/*.{*}/
[hr]
# Where is the main HR website located on the server?
path = /cifs/hr
# Copy the values from the above template section
copy = template
# This section is writeable as well as readable
read only = no
# Only users belonging to the following UNIX group are allowed access to this section
valid users = @hrsection
We have other sections, but it would be redundant as they are very similar to our main section.
Here's the configuration we use for our file server at Human Resources:
[global]
# Reduce the overhead that Samba uses to scan for timeouts
change notify timeout = 300
# Open files with no connections are closed after 15 minutes
deadtime = 15
# Yes, we're a domain server (PDC), even though not all of our
# clients are domain members. We avoid it whenever possible.
domain master = yes
# Files that have UNIX permissions that prohibit access are hidden from users
hide unreadable = yes
# We only allow access from these hosts with one exception
hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1 EXCEPT 192.168.0.83
# All other hosts are denied access
hosts deny = ALL
# The root user and the wheel group are not allowed access
invalid users = root @wheel
# All our computers are Windows XP
lanman auth = no
# We don't have any OS/2 clients
lm announce = no
# We log all activity to multiple logfiles depending on the
# NetBIOS name of the computer
log file = /var/log/samba/%m.log
# We want a minimum level of logging
log level = 1
# Where is each user's home directory mapped to?
logon drive = p:
# Where is the user's home directory located?
logon home = \\HRSVR\%U
# Again, all our clients are Windows XP
min protocol = NT1
# What NetBIOS name does our server call itself?
netbios name = HRSVR
# We don't want to compete for browse master elections - we win always
os level = 255
# We want to initiate a browse master election (probably unnecessary)
# preferred master = yes
# We rely on username/password access methods
security = user
# We're on a Local Area Network, so these settings are appropriate
socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# We allow clients to set their clock to ours using the NET TIME parameter
time server = yes
# Do we provide WINS support?
wins support = yes
# What NetBIOS name does our server use for our domain/workgroup?
workgroup = HRGRP
[template]
# Our template section is very similar to the first example (above). No need to repeat ourselves
# here for this example.
[homes]
# Copy all values from the template section, which in real life is actually filled in.
copy = template
# Each user's home directory uses this section automatically
# However, by default it's not browseable
browseable = no
# It's read/write
read only = no
# Only the individual user is allowed access to newly created files/directories
force create mode = 0700
force directory mode = 0700
[hr]
# Where is this share located on the UNIX filesystem?
path = /cifs/hrfile
# What UNIX permissions are used for newly created files/directories? Again,
# the use of 7 instead of 6 for create mode is intentional.
create mode = 0760
directory mode = 0770
# Members of which UNIX group are allowed access?
valid users = +hrgrp
# It's read/write
read only = no
# Members who belong to a different initial group should still write to the files
# as the following group. This allows us to not have files/directories with world
# access permissions on them. Only members who are already in the following UNIX
# group qualify (the + symbol indicates this)
force group = +hrgrp
As with the last example, there are more shares. However, you get the idea.
Assuming that you have a CD-ROM that you want to make available via Samba with unrestricted access, you can try something like:
[cdrom] fake oplocks = yes guest ok = yes path = /mnt/cdrom root preexec = /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom root postexec = /bin/umount /dev/cdrom
If you're running Windows 2000 or later, you're in luck. You can completely bypass both Linux and Samba by printing directly to your printer's TCP/IP port (assuming it has one, that is).
Before you can even attempt to configure printing under Samba, you must first be able to successfully print directly from your Linux box to your local/network printer. This is, unfortunately, half the battle. Many options for printing under Linux exist, including CUPS and LPRng. It might be worth your while to review The Linux Printing HOWTO for further information. Regardless of the method you use, make sure you can run the following command with success before you proceed:
$ cat /etc/hosts | lpr
Once you've got printing under Linux working, you can tackle getting it to work under Samba. You'll install your printer drivers on the Windows machines, so no additional configuration needs to be done to your /etc/printcap file. Add the following to your smb.conf(5) file:
[global]
guest account = smbguest
[printers]
path = /var/spool/lpd/lp
browseable = yes
read only = yes
printable = yes
guest ok = yes
guest only = yes
Make sure to add the smbguest account to your system's password file. You can use something like:
# groupadd smbguest
# useradd smbguest -g smbguest -d
/dev/null -s /bin/false
You'll also need to add the suid bit to the directory that your /etc/printcap points to for each printer:
# chmod 4777 /var/spool/lpd/lp
Stop and restart Samba; you should now find the printers appearing in your browse list.
Another good resource on Samba and printing is Mike Hernandez's Printing with samba and cups document.
| Prev | Home | Next |
| Installing Samba | Client Configuration |