Manually Configuring a Samba Server

The /etc/samba/smb.conf file controls most aspects of how Samba works and is divided into sections. Each section begins with a line that starts with an open bracket ([), includes some text, and ends with a close bracket (]). The text within the brackets identifies the section. Typical sections are

smb.conf comments

As installed on a Red Hat Linux system, the /etc/samba/smb.conf sample configuration file contains extensive comments and commented-out examples. Comment lines in smb.conf can start with either a pound sign (#) or a semicolon (;). The sample file uses pound signs to begin lines that are intended to remain as comments and semicolons to begin lines that you may want to mimic or use as is by removing the semicolons. The following segment of smb.conf contains two lines of true comments and seven lines beginning with semicolons that you may want to uncomment and make changes to:

# A private directory, usable only by fred. Note that fred requires # write access to the directory. ;[fredsdir] ;   comment = Fred's Service ;   path = /usr/somewhere/private ;   valid users = fred ;   public = no ;   writable = yes ;   printable = no

Assuming the global parameters in smb.conf are set properly, you need to add a share for a Windows system to be able to access a directory on the local Linux system. Add the following simple share to the end of the smb.conf file to enable a user on a Windows system to be able to read from and write to the local /tmp directory:

[tmp]          comment = temporary directory          path = /tmp          writable = yes          guest ok = yes

The name of the share under Windows is tmp; the path under Linux is /tmp. Any Windows user, including guest, who can log in on Samba, can read from and write to this directory, assuming that the user's Linux permissions allow it. The Linux permissions that apply to a Windows user using Samba are the permissions that apply to the Linux user that the Windows user maps to.

Parameters in the smbd.conf File

The the smb.conf man page and the Help feature of swat list all the parameters you can set in smb.conf. The following sections identify some of the parameters you are likely to want to change.

Global Parameters

interfaces

A SPACE-separated list of the networks that Samba uses. Specify as interface names (such as eth0) or as IP address/net mask pairs (page 423).

Default: all active interfaces except 127.0.0.1

server string

The string that is displayed in various places on the Windows machine. Within the string, Samba replaces %v with the Samba version number and %h with the hostname.

Default: Samba %v

Red Hat: Samba Server

workgroup

The workgroup that the server belongs to. Set to the same workgroup as the Windows clients that use the server. This parameter controls the domain name that Samba uses when security (page 708) is set to DOMAIN.

Default: WORKGROUP

Red Hat: MYGROUP

Security Parameters

encrypt passwords

YES accepts only encrypted passwords from clients. Windows 98 and Windows NT 4.0 Service Pack 3 and later use encrypted passwords by default. This parameter uses smbpasswd to authenticate passwords unless you set security to SERVER or DOMAIN, in which case Samba authenticates using another server.

Default: YES

Samba defaults to storing encrypted passwords in the smbpasswd file if you do not set up passdb (a password database). Storing passwords in the smbpasswd file is sensible on servers with fewer than 250 users. For high-load servers, consult the Samba HOWTO collection for information about configuring a database back end.

guest account

The username that is assigned to users logging in as guest or mapped to guest; applicable only when guest ok (page 711) is set to YES. This username should be present in /etc/passwd but should not be able to log in on the system. Typically guest account is assigned a value of nobody because the user nobody can access only files that any user can access. If you are using the nobody account for other purposes on the Linux system, set this variable to a name other than nobody.

Default: nobody

hosts allow

Analogous to the /etc/hosts.allow file (page 427), this parameter specifies hosts that are allowed to connect to the server. Overrides hosts specified in hosts deny. A good strategy is to specify ALL in hosts deny and to specify the hosts you want to grant access to in this file. Specify hosts in the same manner as in hosts.allow.

Default: none (all hosts permitted access)

hosts deny

Analogous to the /etc/hosts.deny file (page 427), this parameter specifies hosts that are not allowed to connect to the server. Overridden by hosts specified in hosts allow. If you specify ALL in this file, remember to include the local system (127.0.0.1) in hosts allow. Specify hosts in the same manner as in hosts.deny.

Default: none (no hosts excluded)

map to guest

Defines when a failed login is mapped to the guest account. Useful only when security is not set to SHARE.

Never: Allows guest to log in only when the user explicitly provides guest as the username and a blank password.

Bad User: Treats any attempt to log in as a user who does not exist as a guest login. This parameter is a security risk because it allows a malicious user to retrieve a list of users on the system quickly.

Bad Password: Silently logs in as guest any user who incorrectly enters his or her password. This parameter may confuse a user when she mistypes her password and is unknowingly logged in as guest because she will suddenly see fewer shares than she is used to.

Default: Never

passwd chat

The chat script that Samba uses to converse with the passwd program. If this script is not followed, Samba does not change the password. Used only when unix password sync is set to YES.

Default: *new*password* %n\n*new*password* %n\n*changed*

passwd program

The program Samba uses to set Linux passwords. Samba replaces %u with the user's username.

Default: /usr/bin/passwd %u

security

Specifies if and how clients transfer user and password information to the server. Choose one of the following:

USER: Causes Samba to require a username and password from users or Windows when logging in on the Samba server. With this setting you can use

• username map to map usernames to other names

• encrypt passwords (page 706) to encrypt passwords (recommended)

• guest account (page 707) to map users to the guest account

SHARE: Causes Samba not to authenticate clients on a per-user basis. Instead, Samba uses the system found in Windows 9x, in which each share can have an individual password for either read or full access. This option is not compatible with more recent versions of Windows.

SERVER: Causes Samba to use another SMB server to validate usernames and passwords. Failing remote validation, the local Samba server tries to validate as though security were set to USER.

DOMAIN: Samba passes an encrypted password to a Windows NT domain controller for validation.

ADS: Instructs Samba to use an Active Directory server for authentication, allowing a Samba server to participate as a native Active Directory member. (Active Directory is the centralized information system that Windows 2000 and later use. It replaces Windows Domains, which was used by Windows NT and earlier.)

Default: USER

unix password sync

YES causes Samba to change a user's Linux password when the associated user changes the encrypted Samba password.

Default: NO

update encrypted

YES allows users to migrate from cleartext passwords to encrypted passwords without logging in on the server and using smbpasswd. To migrate users, set to YES and set encrypt passwords to NO. As each user logs in on the server with a cleartext Linux password, smbpasswd encrypts and stores the password in /etc/samba/smbpasswd. Set to NO and set encrypt passwords to YES after all users have been converted.

Default: NO

username map

The name of the file that maps usernames from a client to usernames on the server. Each line of the map file starts with a server username, followed by a SPACE, an equal sign, another SPACE, and one or more SPACE-separated client usernames. An asterisk (*) on the client side matches any client username. This file frequently maps Windows usernames to Linux usernames and/or maps multiple Windows usernames to a single Linux username to facilitate file sharing. A sample map file is shown here:

$ cat /etc/samba/smbusers # Unix_name = SMB_name1 SMB_name2 ... root = administrator admin nobody = guest sam = sams

Default: no map

Red Hat /etc/samba/smbusers

Logging Parameters

log file

The name of the Samba log file. Samba replaces %m with the name of the client system, allowing you to generate a separate log file for each client.

Default: none

Red Hat: /var/log/samba/%m.log

log level

Sets the log level, with 0 (zero) being off and higher numbers being more verbose.

Default: 0 (off)

max log size

An integer specifying the maximum size of the log file in kilobytes. A 0 (zero) specifies no limit. When a file reaches this size, Samba appends a .old to the filename and starts a new log, deleting any old log file.

Default: 5000

Red Hat: 50

Browser Parameters

The domain master browser is the system that is responsible for maintaining the list of machines on a network used when browsing a Windows Network Neighborhood or My Network Places. SMB (page 1055) uses weighted elections every 1115 minutes to determine which machine will be the domain master browser.

Whether a Samba server wins this election depends on two parameters: First, setting domain master to YES instructs the Samba server to enter the election. Second, the os level determines how much weight the Samba server's vote receives. Setting os level to 2 should cause the Samba server to win against any Windows 9x machines. NT Server series domain controllers, including Windows 2000, XP, and 2003, use an os level of 32. The maximum setting for os level is 255, although setting it to 65 should ensure that the Samba server wins.

domain master

YES causes nmbd to attempt to be the domain master browser. If a domain master browser exists, then local master browsers will forward copies of their browse lists to it. If there is no domain master browser, then browse queries may not be able to cross subnet boundaries. A Windows PDC (Primary Domain Controller) will always try to become the domain master and may behave in unexpected ways if it fails. Refer to the preceding discussion.

Default: AUTO

local master

YES causes nmbd to enter elections for the local master browser on a subnet. A local master browser stores a cache of the NetBIOS (page 1044) names of entities on the local subnet, allowing browsing. Windows machines automatically enter elections; for browsing to work, the network must have at least one Windows machine or one Samba server with local master set to YES. It is poor practice to set local master to NO. If you do not want a computer to act as a local master, set its os level to a lower number, allowing it to be used as the local master if all else fails.

Default: YES

os level

An integer that controls how much Samba advertises itself for browser elections and how likely nmbd is to become the local master browser for its workgroup. A higher number increases the chances of the local server becoming the local master browser. Refer to the discussion at the beginning of this section.

Default: 20

preferred master

YES forces nmbd to hold an election for local master and enters the local system with a slight advantage. With domain master set to YES, this parameter helps ensure that the local Samba server becomes the domain master. Setting this parameter to YES on more than one server causes the servers to compete to become master, generating a lot of network traffic and sometimes leading to unpredictable results. A Windows PDC (Primary Domain Controller) automatically acts as if this parameter is set.

Default: AUTO

Communication Parameters

dns proxy

When acting as a WINS server (page 1063), YES causes nmbd to use DNS if NetBIOS (page 1044) resolution fails.

Default: YES

Red Hat: NO

socket options

Tunes the network parameters used when exchanging data with a client. The Red Hat Linux setting is appropriate in most cases.

Default: TCP_NODELAY

Red Hat: TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

wins server

The IP address of the WINS server that nmbd should register with.

Default: not enabled

wins support

YES specifies that nmbd act as a WINS server.

Default: NO

Share Parameters

Each of the following parameters can appear many times in smb.conf, once in each share definition.

available

YES specifies the share as active. Set this parameter to NO to disable the share, but continue logging requests for it.

Default: YES

browseable

Determines whether the share can be browsed, for example, in Windows My Network Places.

Default: YES

Red Hat: NO

comment

A description of the share, shown when browsing the network from Windows.

Default: none

Red Hat: varies

guest ok

Allows a user who logs in as guest to access this share.

Default: NO

path

The path of the directory that is being shared.

Default: none

Red Hat: various

read only

Does not allow write access.

Default: YES

The [homes] Share: Sharing Users' Home Directories

Frequently users want to share their Linux home directories with a Windows machine. To make this task easier, Samba provides the [homes] share. When you define this share, each user's home directory is shared with the specified parameters. In most cases, the following parameters are adequate:

[homes]          comment = Home Directories          browseable = no          writable = yes

These settings prevent users other than the owners from browsing home directories, while allowing logged-in owners full access.

SELinux

If the system is running SELinux with a targeted policy and you want to allow users to share their home directories as explained in this section, you must turn on the SELinux setting Samba Allow Samba to share users home directories as displayed by system-config-securitylevel (page 402).