The Unofficial Samba HOWTO
Prev   Next

3. Server Configuration

"How do you power off this machine?" --Linus Torvalds, when upgrading linux.cs.helsinki.fi, and after using the machine for several months

3.1 smb.conf

The smb.conf(5) file controls the behavior of Samba. By default, it's not created, so you'll have to make one up. Some examples are provided later on in this chapter. However, if you're going to run a Samba server, it's critical that you know where this configuration file is and how many unnecessary duplicate copies of this file exist. Common situations include someone installing Samba on a machine that had left over configuration files from a previous version of Samba. Which smb.conf file is the Administrator supposed to edit? Which one will Samba pay attention to? I think you get my drift. To make sure you're in the clear, run the following command as root:

# find / -name testparm -exec ls -Fla {} \;
-rwxr-xr-x    1 root     root       440268 2004-02-09 09:19 /usr/bin/testparm*

If all goes well, only one file will show up. Why are we searching for testparm(1) instead of smb.conf(5)? By default, no smb.conf configuration file is installed with Samba, but testparm (which checks the syntax of your smb.conf file) is. So if you've just installed Samba on a system with an existing version of Samba on it, you might have duplicate configuration files located in odd locations you'd never expect. If you find more than one testparm file, you'd better determine why this is and take corrective action before proceeding!

Now that we know where our testparm(1) file is located, let's run it:

# /usr/bin/testparm
Load smb config files from /etc/samba/smb.conf
params.c:OpenConfFile() - Unable to open configuration file "/etc/samba/smb.conf":
        No such file or directory
Error loading services.

Whether this gives us an error message or not is not the point; what's important is the first line of output that we receive. In this case, we have our answer: Samba will look for the smb.conf(5) file in /etc/samba/smb.conf. This is where you should create/edit your smb.conf file. This is probably the single most frequently asked question about Samba -- where should my smb.conf file be located?

3.2 Server Configuration Examples

3.2.1 Webserver

On our public webserver at Human Resources, we allow our staff the ability to edit certain files. Here's our actual configuration along with rationale. Hopefully it will give you an idea or two:

[global]
        # Reduce the overhead that Samba uses to scan for timeouts
        change notify timeout = 300

	# Open files with no connections are closed after 15 minutes 
        deadtime = 15

	# We're not really in a domain; this just saves us the unnecessary
	# log warnings from nmbd about being unable to contact a domain master
        domain master = yes

	# Files that have UNIX permissions that prohibit access are hidden from users
        hide unreadable = yes

	# We only allow access from these hosts
        hosts allow = 192.168.0.5 192.168.5.82 127.0.0.1

	# All other hosts are denied access
        hosts deny = ALL

	# The root user and the wheel group are not allowed access
        invalid users = root @wheel

        # All our computers are Windows XP
        lanman auth = no

	# We don't have any OS/2 clients        
        lm announce = no

	# We log all activity to a single file for regular review
        log file = /var/log/samba.log

	# We want a minimum level of logging
        log level = 1

	# Again, all our clients are Windows XP
        min protocol = NT1

	# What NetBIOS name does our server call itself?
        netbios name = HR

	# We rely on username/password access methods
	security = user

	# We're (mostly) on a Local Area Network, so these settings are appropriate
        socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192

	# Do we provide WINS support?
        wins support = yes

	# What NetBIOS name does our server use for our domain/workgroup?
        workgroup = HRWEBSVR

[template]
	# We use a template so that we can repeat some of these values across multiple shares
	# Testparm complains if this section has no path, so we give a default dummy path
        path = /dev/null

	# Many times a user will ask us who last changed a file and when.  This allows us to
	# record this information in the UNIX filesystem despite being anti-POSIX 
        dos filetimes = yes

	# By default, all write access is created with the following mask.  Note:
	# The use of 7 instead of 6 is intentional -- the extra bit is used by Windows
	# clients - go figure!
        force create mode = 0774

	# All directory creation is made with this UNIX mask.
        force directory mode = 0775

	# Regardless of the UNIX group a user is in, all file activity is done as this user
        force group = +hrgroup

	# The following files are hidden by default from the client
	# In this case, any Windows XP preview files for icons are hidden for cosmetic reasons only
        hide files = /Thumbs.db/

	# The following files are not allowed access of any kind.  This allows us to maintain PHP
	# pages without being modified by non-programmers (*.php).  Cascading style-sheets aren't
	# accessible either (*.css), along with some other webserver-specific files (favicon.ico,
	# robots.txt, & .htaccess).  The remainder of the list prevents the creation of any of
	# these (usually) harmful files -- usually this would happen if a PC got infected with a virus --
	# we don't want to have any of these files created on our webserver whatsoever.  The last item
	# (*.{*}) prevents any registry specific files from being created as well.   
        veto files = /*.css/*.php/favicon.ico/robots.txt/.htaccess/*.bas/*.chm/*.cmd/*.com/*.cpl/*.crt/*.exe/*.hta/*.ins/*.isp/*.jsp/*.jse/*.msi/*.msp/*.mst/*.pl/*.reg/*.scr/*.swf/*.sct/*.shs/*.url/*.vbe/*.vbs/*.vb/*.wsc/*.wsf/*.wsh/*.ws/*.dll/*.{*}/

[hr]
	# Where is the main HR website located on the server?
        path = /cifs/hr

	# Copy the values from the above template section
        copy = template

	# This section is writeable as well as readable	
        read only = no

	# Only users belonging to the following UNIX group are allowed access to this section
        valid users = @hrsection

We have other sections, but it would be redundant as they are very similar to our main section.

3.2.2 File Server

Here's the configuration we use for our file server at Human Resources:

[global]
        # Reduce the overhead that Samba uses to scan for timeouts
        change notify timeout = 300

        # Open files with no connections are closed after 15 minutes
        deadtime = 15
        
        # Yes, we're a domain server (PDC), even though not all of our
	# clients are domain members.  We avoid it whenever possible.
        domain master = yes

        # Files that have UNIX permissions that prohibit access are hidden from users
        hide unreadable = yes

        # We only allow access from these hosts with one exception
        hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1 EXCEPT 192.168.0.83

        # All other hosts are denied access
        hosts deny = ALL

        # The root user and the wheel group are not allowed access
        invalid users = root @wheel

        # All our computers are Windows XP
        lanman auth = no

        # We don't have any OS/2 clients
        lm announce = no

        # We log all activity to multiple logfiles depending on the
	# NetBIOS name of the computer
        log file = /var/log/samba/%m.log

        # We want a minimum level of logging
        log level = 1

	# Where is each user's home directory mapped to?
	logon drive = p:

	# Where is the user's home directory located?
	logon home = \\HRSVR\%U

        # Again, all our clients are Windows XP
        min protocol = NT1

        # What NetBIOS name does our server call itself?
        netbios name = HRSVR

	# We don't want to compete for browse master elections - we win always
	os level = 255

	# We want to initiate a browse master election (probably unnecessary)
	# preferred master = yes

        # We rely on username/password access methods
        security = user

        # We're on a Local Area Network, so these settings are appropriate
        socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192

	# We allow clients to set their clock to ours using the NET TIME parameter
	time server = yes

        # Do we provide WINS support?
        wins support = yes

        # What NetBIOS name does our server use for our domain/workgroup?
        workgroup = HRGRP

[template]
	# Our template section is very similar to the first example (above).  No need to repeat ourselves
	# here for this example.

[homes]
	# Copy all values from the template section, which in real life is actually filled in.
	copy = template

	# Each user's home directory uses this section automatically
	# However, by default it's not browseable
	browseable = no

	# It's read/write
	read only = no

	# Only the individual user is allowed access to newly created files/directories
	force create mode = 0700
	force directory mode = 0700

[hr]
	# Where is this share located on the UNIX filesystem?
	path = /cifs/hrfile

	# What UNIX permissions are used for newly created files/directories?  Again,
	# the use of 7 instead of 6 for create mode is intentional.
	create mode = 0760
	directory mode = 0770

	# Members of which UNIX group are allowed access?
	valid users = +hrgrp

	# It's read/write
	read only = no

	# Members who belong to a different initial group should still write to the files
	# as the following group.  This allows us to not have files/directories with world
	# access permissions on them.  Only members who are already in the following UNIX
	# group qualify (the + symbol indicates this)
	force group  = +hrgrp

As with the last example, there are more shares. However, you get the idea.

3.3 Miscellaneous Issues

3.3.1 Sharing a DVD/CDROM

Assuming that you have a CD-ROM that you want to make available via Samba with unrestricted access, you can try something like:

[cdrom]
	fake oplocks = yes
	guest ok = yes
	path = /mnt/cdrom
	root preexec = /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom
	root postexec = /bin/umount /dev/cdrom

3.3.2 Sharing a Printer

If you're running Windows 2000 or later, you're in luck. You can completely bypass both Linux and Samba by printing directly to your printer's TCP/IP port (assuming it has one, that is).

Before you can even attempt to configure printing under Samba, you must first be able to successfully print directly from your Linux box to your local/network printer. This is, unfortunately, half the battle. Many options for printing under Linux exist, including CUPS and LPRng. It might be worth your while to review The Linux Printing HOWTO for further information. Regardless of the method you use, make sure you can run the following command with success before you proceed:

$ cat /etc/hosts | lpr

Once you've got printing under Linux working, you can tackle getting it to work under Samba. You'll install your printer drivers on the Windows machines, so no additional configuration needs to be done to your /etc/printcap file. Add the following to your smb.conf(5) file:

[global] 
	guest account = smbguest

[printers]
	path = /var/spool/lpd/lp
        browseable = yes
        read only = yes
        printable = yes
        guest ok = yes
        guest only = yes

Make sure to add the smbguest account to your system's password file. You can use something like:

# groupadd smbguest
# useradd smbguest -g smbguest -d /dev/null -s /bin/false

You'll also need to add the suid bit to the directory that your /etc/printcap points to for each printer:

# chmod 4777 /var/spool/lpd/lp

Stop and restart Samba; you should now find the printers appearing in your browse list.

Another good resource on Samba and printing is Mike Hernandez's Printing with samba and cups document.


Prev Home Next
Installing Samba   Client Configuration