6.1. Configuring Samba

The main configuration file for Samba is smb.conf, located in the /etc/samba directory (or simply in the /etc directory, for some distributions). This directory also contains the lmhosts file used for mapping host names to their IP addresses (analogously to the /etc/ hosts file used by Linux). The Windows dislc\ windows \system32\drivers\etc\lmshosts.sam file is only used for the Samba server's needs.

There also are the following files in /etc/samba directory:

smbusers This file stores a list of users allowed to connect to the Samba server.
smbpasswd This file stores passwords for users listed in the smbusers file.

These two files may be not created by default, and you will have to create them manually.

In this case, make sure that the files have correct file permissions. Only the root user can be the owner of these files.

There aren't many parameters in the smb.conf file, so I give a small example of it in Listing 6.1 to help you understand the overall structure of this file. Further, I will consider other Linux servers, which require many more configuration settings.

Listing 6.1: A fragment of the smb.conf configuration file

 [global] # Main parameters    workgroup = MYGROUP    server string = Samba Server ;  hosts allow = 192.168.1. 192.168.2. 127.    load printers = yes    printing = lprng ;  guest account = pcguest # Log parameters    log file = /var/log/samba/%m.log    max log size = 0 # Security parameters    security = user ;  password server = <NT-Server-Name> ;  password level = 8 ;  username level = 8    encrypt passwords = yes    smb passwd file = /etc/samba/smbpasswd    unix password sync = yes    passwd program = /usr/bin/passwd %u    passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*    pam password change = yes ;  username map = /etc/samba/smbusers ;  include = /etc/samba/smb.conf.%m    obey pam restrictions = yes # Socket configuration parameters    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ;  interfaces = 192.168.12.2/24 192.168.13.2/24 # View configuration parameters ;  remote browse sync = 192.168.3.25 192.168.5.255 ;  remote announce = 192.168.1.255 192.168.2.44 ;  local master = no ;  os level = 33 ;  domain master = yes ;  preferred master = yes # Server operation parameters ;  domain logons = yes ;  logon script = %m.bat ;  logon script = %U.bat ;  logon path = \%L\Profiles\%U ;  wins support = yes # WINS server parameters ;  wins server = w.x.y.z ;  wins proxy = yes    dns proxy = no # File presentation parameters ;  preserve case = no ;  short preserve case = no ;  default case = lower ;  case sensitive = no

The actual file in your system will be much larger, because it contains numerous comments describing and giving examples of how public directories are configured. I deleted all of those comments to make it easier to orient yourself in the file's contents when considering its directives.

Directives in most Linux and application software configuration files have the following format:

 Parameter_Name Value

The Parameter_Name parameter must be one word; no spaces are allowed. It is followed by a space, and then the parameter's value is given.

The Samba server uses a somewhat different format:

 Parameter_Name=Value

The value of the parameter is given after an equal sign. In this way, the parameter name can consist of several words and contain any character with the exception of the equal sign.

6.1.1. Main Settings

The smb.conf file is broken into sections. In the first section, named [global] , the server's global parameters are defined. These are the following:

workgroup = name The name of the workgroup the server will appear to be in when queried by clients . When you open the network environment in Windows, you can see all available resources shown by groups. Each group can contain its computers or servers.
netbios name = name This specifies the name, by which the given Samba server is known and will be shown in the network environment. It cannot be the same as the workgroup name.
server string = description This is the description of the server shown in the Comment field of the server's properties window or of the network environment window in the Details view mode). You can enter a comment describing the server into this field, for example, "Main File Server."
hosts allow = IP addresses/host names This is a space-, comma-, or tab-delimited list of IP addresses or names of hosts and networks allowed to access the server. For example, access for all computers from the network 192.168.1. x and for one computer from another network with the IP address 192.168.2.1 can be allowed by setting this parameter as follows :
```
 hosts allow  =  192.168.1. 192.168.2.2 
```
printcap name = file This specifies the file containing descriptions of the printers connected to the system. The default file is /etc/printcap.
load printers = yes no When set to yes , this specifies all printers in the printcap file to be loaded for browsing by default. If there is no need for this, set this parameter to no .
printing = style This specifies the printing style. The following options are available: bsd, sysv, plp, lprng, aix, hpux, and qnx .

6.1.2. Security

The parameters that directly or indirectly affect security are the following:

guest account = name This is a user name that will be used to access the services specified as guest ok . If your server does not store any confidential information and is used for open file exchange, you can create a guest account; otherwise , allowing a guest login may be a security threat.
log file = file_name This is the name of the log file, for example, /var/log/samba/%m.log. The %m combination in the file name will be substituted with the name of the user whose activity is logged. Thus, for the user name robert, a log file named /var/log/samba/robert.log will be created.
max log size = n This sets the maximum log size in kilobytes. There is no size limit if this is set to .
security = level Based on the value, clients decide whether and how to transfer user and password information to the server. The following values are available:
- user A user must log onto a user security server with a valid user name and password before attempting to access shared resources.
- share Users don't have to log onto the share security server. A user name and password are required when accessing each particular share.
- server This specifies the name of the server, on which the passwords are stored. (This is in case the passwords are stored on another server using the password server = Server_Name parameter.)
- security = domain The user name and password are validated by passing them to a Windows NT primary or backup domain controller, just like a Windows NT Server would do. The password file to use is specified using the smb passwd file = file_path parameter.
encrypt passwords = yes no When set to yes , passwords passed through the network are encrypted.. This parameter requires some explanation, because it may cause problems when authenticating from Windows computers.

The problem is that Windows-encrypted passwords are reversible. A password is encrypted on the client and sent over the network to the server, which decrypts it and compares it against the passwords in the password file. In Linux, stored passwords are encrypted irreversibly using the MD5 algorithm. At authentication, the client encrypts the password using the same algorithm and passes it to the server, which compares the encrypted password against encrypted passwords in the password file.

Thus, the encryption and authentication techniques of these two operating systems are incompatible with each other.

For Windows users to be able to authenticate on a Samba server, the password must be sent unencrypted. For this, the value of the encrypt passwords parameter should be set to no . Moreover, in Windows systems, the value of EnablePlainTextPassword must be set to 1. For different versions of Windows, this parameter is located in different keys. For Windows 9x, this is the following:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VxD\VNETSUP

For Windows NT, it is in this key:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters

For Windows 2000 and XP, the parameter is in the following key:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ LanmanWorkStation\Parameters

If the parameter does not exist, it should be created. It should be of the DWORD type.

If you experience difficulties logging onto the server, switch the system to work with plaintext passwords. In this case, a Samba server will use the /etc/passwd and /etc/shadow files to perform the authentication. It encrypts the plaintext password using the MD5 algorithm and compares it with the encrypted passwords stored in the /etc/shadow file.

If the encrypt passwords parameter is set to yes , the /etc/samba/smbpasswd file will be used at authentication. (The password file's location and name can be changed with the help of the smb passwd file parameter.) This password file is needed because of the differences in the encrypted password-authorization systems used in Linux and Windows.

Do not use plaintext passwords unless necessary. Always remember about network traffic sniffers that can snatch passwords sent on the network in plaintext. If hackers obtain even one password, chances are good they will be able to break into your system.

smb passwd file = file_path This specifies the path to the encrypted smbpasswd file. By default, this is the directory, in which Samba's configuration files are located.
ssl CA certFile = file_path This parameter specifies the path to the Certification Authority (CA) file, necessary for operation of the SSL protocol used for secure data transfer.
unix password sync = yes no This allows Windows users to synchronize Linux passwords with the Samba password when the encrypted Samba password in the smbpasswd file is changed. If there is no such need, the parameter should be set to no .

For this directive to work, the program to change the password has to be specified in the passwd program parameter and the program to control the conversation that takes during the password change must be specified in the passwd chat parameter. The following is an example of the parameter's use:
```
 unix password sync  =  Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\ n *passwd:*all*authentication*tokens*updated*successfully* 
```
Moreover, the encrypt passwords and smb passwd file directives have to be used.
username map = file_path This specifies the file containing a mapping of user names from Windows clients to the Samba server. This file is described in more detail in Section 6.3 .

6.1.3. Network

In this section, the network protocol configuration parameters are considered . These are the following:

include = file_path This parameter allows you to use the smb.conf file from another computer. The name of the file is specified in the path.%m format. Here, path is the absolute path to the file on the remote machine, and %m is the NetBIOS name of the machine, for example, /etc/samba/smb.conf.robert.
socket options = TCP_NODELAY SO_RCVBUF = 8192 SO_SNDBUF = 8192 This parameter specifies the protocol options and the sizes of the input and output buffers. In this instance, its values are the following:
- TCP NODELAY Allows data to be transmitted without delay
- SO_RCVBUF Sets the size of the incoming buffer
- SO _SNDBUF Sets the size of the outgoing buffer
interfaces = interface names If you have two network cards installed on your computer, each interfacing a different network, this parameter allows users from both networks to work with Samba.

6.1.4. Samba as a Windows Server

Samba can act as a Windows server without workstations running under Windows noticing any difference. This is made possible by the following parameters:

local master = yes no This option allows a Samba server to become the main local browser on the subnet.
domain master = yes no This option allows a Samba server to become the main local browser on the domain. Do not set the value of this parameter to yes if there is a Windows NT domain controller in your network.
domain logons = yes no If set to yes , the Samba server will serve Windows 95/98 domain logons for the workgroup it is in. This will allow Samba passwords to be used when booting on a Windows computer.
logon script = file_path If the domain logons parameter is set to yes , this parameter specifies the batch file to be run when a user successfully logs in. The file can be specified as %m.bat (with %m replaced with a computer name) or %U.bat (with %U replaced with a user name).
logon path = path Specifies the home directory where user profiles are stored. To use this option, the comments must be removed from the [Profiles] section in the default configuration file.

6.1.5. WINS Support

The Windows Internet Naming Service (WINS) is a service for mapping NetBIOS computer names to their respective IP addresses. A WINS database is similar to DNS, only it stores NetBIOS host names as opposed to the domain names used in DNS.

The following parameters are used to configure WINS operation:

wins support = yes no This parameter enables Samba to act as a WINS server.
wins server = w.x.y.z This specifies the WINS server address.
DNS Proxy = yes no When set to yes , nonregistered NetBIOS names will be looked up with the DNS server.

6.1.6. File Representation

File naming conventions differ between Linux and Windows. For example, in Linux, file names are case-sensitive, and in Windows they are not. This means that DATA.TXT and data.txt are treated as the same file in Windows but not in Linux. This problem can be solved by using several parameters. These are the following:

case sensitive = yes no If set to yes , case sensitivity is ignored.
default case = lower All file names are depicted in lowercase.
preserve case = yes no and short preserve case = yes no These parameters control whether the case information in file names is preserved.

If there are Windows systems in the network, the preceding values should not be changed. For a homogenous Linux network, case information can be preserved.