|   | ||
|  | ||
|   | ||
After all main parameter of the Samba server have been specified, objects to which users can be allowed access can be described. This is done in the sections following the [global] section, considered in Section 6.1 .
Users normally want to work in their own directories. To do so, a user has to have a Linux account, to which his or her directory will be linked. This directory is specified as //server/ name , where server is the server name or IP address and name is the name of the user whose home directory is to be viewed .
To allow users' work with their individual directories, the [ homes ] section has to be described. Consider an example of this section:
[homes] comment = Home Directories browseable = no writable = yes valid users = %S create mode = 0664 directory mode = 0775
The functions of its parameters are as follows :
comment A text comment, which has no effect on server operation.
browseable = yes no Specifies whether the share is seen in the list of available shares in a network view and in the browse list. If set to yes , user folders will be shown in the network environment.
writable = yes Specifies whether the home directory can be written to. When set to no, users of the service may not create or modify files in the directory.
create mode = 0750 Specifies permission for created files. In this case, the file owner has full rights, group members have read and execute rights, and all other users don't have any rights. Sometimes, however, the parameter's value should be lowered to 740 so that group users would have only read rights.
directory mode = 0775 Specifies permissions for created directories. In this case, group users have overly high privileges. I would lower them to 755 to prohibit them from creating files in the new directory. All other users have only read rights, but even this may be too much for them. I would give them no rights by setting the overall rights to 750, or -rwxr-x--- in symbolic notation.
valid users = user_list Specifies a space-delimited list of users allowed access to the home directories. By default, all users are allowed access, but only few users need it. I, therefore, recommend specifying explicitly those users who need to work with their home directories.
If a Linux server is configured to let a Windows user enter the system through Samba, using it as a domain, comments in the [netlogon] section must be removed.
; [netlogon] ; comment = Network Logon Service ; path = /usr/local/samba/lib/netlogon ; guest ok = yes ; writable = no
The value of the writable parameter is set to no because users must not have write rights for this directory; scripts that are executed when they log onto the system are stored in this directory. Only the administrator should have the write rights for this directory.
The value of the path parameter is the complete path to the netlogon directory. The function of the guest ok parameter is the same as that of the identical parameter considered in Section 6.1 : It governs guest logon. In this case, guest logon is permitted.
Comments in the [Profiles] section also have to be removed.
; [Profiles] ; path = /usr/local/samba/profiles ; browseable = no ; guest ok = yes
The directory specified in this section stores user profiles, and it should not be seen in the Windows network environment. For this reason, the value of the browseable parameter is set to no .
To make printers connected to the Linux server available to users, the [printers] sections has to be configured. Its contents are the following:
[printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes
By default, the section is already open and registered users already have access to the printers. To make printers available to guest users, add the public = yes entry to the section. I do not recommend doing this, because it will give users additional means for playing jokes. For example, I know of a case, in which a worker was sending pictures to all network computers. It may look like an innocent joke, but this interfered with legitimate work and wasted paper and cartridge ink.
Quite often there is a need for a directory on a server that can be used to exchange files by all network users. This directory is configured in the [tmp] section:
; [tMp] ; comment = Temporary file space ; path = /tmp ; read only = no ; public = yes
By default, the section is commented out, so the comments have to be removed to enable the directory. Note the path to the shared directory. This is the /tmp directory, in which temporary user files are stored. The read only = no and public = yes parameters tell Samba that the directory is shared and that files can be written to and read from it by all users.
Even though having this directory is quite convenient , I recommend using it in closed networks only. In networks with access to the Internet, I recommend limiting access to Samba with the help of a firewall. Because the directory is open for writing to anyone , hackers can upload files into it that can be used to obtain root privileges on the server.
All previously-considered sections of the smb.conf file solve particular tasks and have established names . In some cases, however, the name of a section can be changed without affecting the server operation. I, however, do not recommend doing this, because the new section name may work in one Samba version but not when the server software is updated. In this case, it will be difficult to trace the error causing the faulty operation.
You can, however, create your own sections and describe rights in them. For example, you may want to create a shared directory, in which all users can view files but only users of a certain group can write to. Suppose that this directory is for storing images. This task is accomplished by creating a [shareimages] section as follows:
; [shareimages] ; comment = Share Images ; path = /home/samba/images ; public = yes ; writable = yes ; write list = @staff ; printable = no
The functions of the section's parameters are the following:
path = /home/samba/images Here is the path to the directory you want to create.
public = yes This makes the directory publicly accessible.
writable = yes Writing to the directory is permitted.
write list = @staff Writing to the directory is permitted only to the members of the staff group. All other users can only view the directory's files.
Any previously-considered parameters can be used in custom sections.