Section 6.1. Special Share Names

6.1. Special Share Names

In Chapter 4, we introduced three special section names: [global], [homes], and [printers]. These built-in section names have special meaning to Samba. There is a fourth special service that we have mentioned when listing shares using smbclient. This share, [IPC$], is provided by all CIFS servers, not just Samba, and is used for certain network operations such as listing file and printer shares. Other service names can have special meanings to clients. Consider this list of shares on a Windows Server 2003 host:

 $ smbclient -L trinity -U Administrator%test Domain=[COLOR] OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2]         Sharename       Type      Comment         ---------       ----      -------         print$          Disk      Printer Drivers         C$              Disk      Default share         IPC$            IPC       Remote IPC         ADMIN$          Disk      Remote Admin         public          Disk         SYSVOL          Disk      Logon server share         NETLOGON        Disk      Logon server share 

Now examine the same server's list of shares displayed by a Windows XP client using the net.exe command:

 C:\> net view \\trinity /user:COLOR\Administrator test Shared resources at \\trinity Share name  Type  Used as  Comment ------------------------------------------------------------ NETLOGON    Disk           Logon server share public      Disk SYSVOL      Disk           Logon server share The command completed successfully. 

Notice that the XP client does not list the four shares whose names end in a $ character, a trait specific to Microsoft clients. There is nothing special about the file shares C$, PRINT$, or ADMIN$, other than the last character of their name. Windows recognizes any share whose name ends with a $ as a hidden share, because such shares are primarily used for remote administration within Microsoft networks. Because these names are filtered from the share listing by the client and not the server, any file share defined smb.conf as ending in a $ is hidden from users by the Windows Explorer interface. The following list shows the purpose of each standard hidden share:


This share represents the full contents of the server's C: drive. There will be one such share for each hard disk mounted on the server using the traditional alphabetic naming scheme (C:, D:, etc.). Only administrators are able to connect to this share.


This share exports the Windows OS directory, pointed to by the %SYSTEMROOT% environment variable. Only administrators are able to connect to this share.


This share provides access to the server's repository of print drivers needed to support point-and-print functionality. This share is covered in more detail in the next chapter, when we explore Samba's own printing support. All authenticated users are able to copy files from this share, but only administrator accounts may add or modify files.

These three shares point to overlapping portions of the same directory tree, as shown in Figure 6-1. For example, the root of the \\SERVER|PRINT$ share is the same directory as \\SERVER\ADMIN$\System32\spool\drivers.

Figure 6-1. The directory hierarchy shared by the C$, ADMIN$, and PRINT$ file shares

Samba 3.0 includes a built-in [ADMIN$] share as a synonym for the the [IPC$] share. This share was originally implemented (including some other special cases in the Samba server code) for interoperability with the now defunct Advanced Server for Unix product. Until the 3.0.20 release, there was no way to disable this feature, which meant that you could not define your own [ADMIN$] file share short of modifying the Samba source code. However, it can be important to define an [ADMIN$] share, because some Windows tools rely upon its existence (as well as the other standard administrative shares) and even make assumptions about the directory tree that are found at the [ADMIN$] share.

For this reason, newer Samba releases include the global enable asu support Boolean parameter, so you can disable the internal [ADMIN$] IPC share and define your own file share in smb.conf. In this section, we assume that you have version 3.0.20 or later, and show you how to create the standard administrative shares. In order to create all three of the file shares, we will mirror a portion of the Windows operating system directory hierarchy.

The following command creates the full path from /data to the drivers subdirectory. If your mkdir command doesn't support the -p option to create the full path all at once, create each subdirectory one at a time.

 $ mkdir -p /data/windows/system32/spool/drivers 

Next, define each share in smb.conf, taking care to ensure that the directory paths mirror the common directory trees shown in Figure 6-1. Remember to disable the enable asu support option so that you can create an [ADMIN$] in the first place.

 [global]     enable asu support = no [C$]     path = /data     read only = no     valid users = +admins [ADMIN$]     path = /data/windows     read only = no     valid users = +admins [PRINT$]     path = /data/windows/system32/spool/drivers     read only = yes     write list = +admins 

You have already seen that these administrative shares are hidden only by the Windows user interfaces such as cmd.exe and explorer.exe. However, smbclient happily enumerates all of a server's shares, regardless of the names. If you prefer to have smbd not advertise a share at all, disable the browseable parameter in the share's definition. Be aware that hiding a share has no effect on the security of the share. A user who knows the UNC path to the share can still attempt to connect to it.

A frequent trick is to mark the [homes] share as unbrowsable in order to prevent both a share named homes and one matching the currently connected user's login name from appearing in the list of available shares. Many administrators also restrict the set of valid users in [homes] to the %S variable. Remember from Chapter 4 that [homes] is copied in memory and renamed to match the user's login name, and that %S is expanded to the name of the current share. Therefore, %S expands in this case to the user's name, preventing users from connecting to home directories other than their own. Here's a short example:

 [homes]     comment = Home directory for %U     read only = no     browseable = no     valid users = %S 

If the name zulu is a valid user on the system, Samba internally allocates the following share when that user connects to her home directory:

 [zulu]     comment = Home directory for zulu     read only = no     browseable = yes     valid users = zulu 

Using Samba
Using Samba: A File and Print Server for Linux, Unix & Mac OS X, 3rd Edition
ISBN: 0596007698
EAN: 2147483647
Year: 2004
Pages: 135 © 2008-2017.
If you may any questions please contact us: