6.1. Special Share Names
In Chapter 4, we introduced three special section names: [global], [homes], and [printers]. These built-in section names have special meaning to Samba. There is a fourth special service that we have mentioned when listing shares using smbclient. This share, [IPC$], is provided by all CIFS servers, not just Samba, and is used for certain network operations such as listing file and printer shares. Other service names can have special meanings to clients. Consider this list of shares on a Windows Server 2003 host:
$ smbclient -L trinity -U Administrator%test Domain=[COLOR] OS=[Windows Server 2003 3790 Service Pack 1] Server=[Windows Server 2003 5.2] Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers C$ Disk Default share IPC$ IPC Remote IPC ADMIN$ Disk Remote Admin public Disk SYSVOL Disk Logon server share NETLOGON Disk Logon server share
Now examine the same server's list of shares displayed by a Windows XP client using the net.exe command:
C:\> net view \\trinity /user:COLOR\Administrator test Shared resources at \\trinity Share name Type Used as Comment ------------------------------------------------------------ NETLOGON Disk Logon server share public Disk SYSVOL Disk Logon server share The command completed successfully.
Notice that the XP client does not list the four shares whose names end in a $ character, a trait specific to Microsoft clients. There is nothing special about the file shares C$, PRINT$, or ADMIN$, other than the last character of their name. Windows recognizes any share whose name ends with a $ as a hidden share, because such shares are primarily used for remote administration within Microsoft networks. Because these names are filtered from the share listing by the client and not the server, any file share defined smb.conf as ending in a $ is hidden from users by the Windows Explorer interface. The following list shows the purpose of each standard hidden share:
These three shares point to overlapping portions of the same directory tree, as shown in Figure 6-1. For example, the root of the \\SERVER|PRINT$ share is the same directory as \\SERVER\ADMIN$\System32\spool\drivers.
Figure 6-1. The directory hierarchy shared by the C$, ADMIN$, and PRINT$ file shares
Samba 3.0 includes a built-in [ADMIN$] share as a synonym for the the [IPC$] share. This share was originally implemented (including some other special cases in the Samba server code) for interoperability with the now defunct Advanced Server for Unix product. Until the 3.0.20 release, there was no way to disable this feature, which meant that you could not define your own [ADMIN$] file share short of modifying the Samba source code. However, it can be important to define an [ADMIN$] share, because some Windows tools rely upon its existence (as well as the other standard administrative shares) and even make assumptions about the directory tree that are found at the [ADMIN$] share.
For this reason, newer Samba releases include the global enable asu support Boolean parameter, so you can disable the internal [ADMIN$] IPC share and define your own file share in smb.conf. In this section, we assume that you have version 3.0.20 or later, and show you how to create the standard administrative shares. In order to create all three of the file shares, we will mirror a portion of the Windows operating system directory hierarchy.
The following command creates the full path from /data to the drivers subdirectory. If your mkdir command doesn't support the -p option to create the full path all at once, create each subdirectory one at a time.
$ mkdir -p /data/windows/system32/spool/drivers
Next, define each share in smb.conf, taking care to ensure that the directory paths mirror the common directory trees shown in Figure 6-1. Remember to disable the enable asu support option so that you can create an [ADMIN$] in the first place.
[global] enable asu support = no [C$] path = /data read only = no valid users = +admins [ADMIN$] path = /data/windows read only = no valid users = +admins [PRINT$] path = /data/windows/system32/spool/drivers read only = yes write list = +admins
You have already seen that these administrative shares are hidden only by the Windows user interfaces such as cmd.exe and explorer.exe. However, smbclient happily enumerates all of a server's shares, regardless of the names. If you prefer to have smbd not advertise a share at all, disable the browseable parameter in the share's definition. Be aware that hiding a share has no effect on the security of the share. A user who knows the UNC path to the share can still attempt to connect to it.
A frequent trick is to mark the [homes] share as unbrowsable in order to prevent both a share named homes and one matching the currently connected user's login name from appearing in the list of available shares. Many administrators also restrict the set of valid users in [homes] to the %S variable. Remember from Chapter 4 that [homes] is copied in memory and renamed to match the user's login name, and that %S is expanded to the name of the current share. Therefore, %S expands in this case to the user's name, preventing users from connecting to home directories other than their own. Here's a short example:
[homes] comment = Home directory for %U read only = no browseable = no valid users = %S
If the name zulu is a valid user on the system, Samba internally allocates the following share when that user connects to her home directory:
[zulu] comment = Home directory for zulu read only = no browseable = yes valid users = zulu