... this is a W.I.P ... will write more the next days, hope this is ok :)
comments, suggestions, etc. are welcome!
This Tutorial shows you how to configure Samba 3.0.x on Slackware 12.x.
It should later act as simple and secure as it can be in a heterogen network with Windows systems (a workstation with admin access, guest accounts for the rest [eg. your friends]), a media streaming client (eg. Xbox) and Linux / *nix (Solaris / Mac OS X).
I wanted to have all necessary parameters for home usage in my smb.conf so i can easily change them and have a mostly secure and stable system. Printing is disabled by default in my config, since i have no need to attach my printer to the server (the printer has its own print server: HP P2015). Also i really have no clue how to use a printer with linux. If someone wants to write something on printing then feel free to do so...
Upgrade / Build Samba
If you are here you probably will know what Samba is good for and how it works. Normally Samba is installed on your system and ready for action and doesn't need to be upgraded.
All upgrades to Samba should be done via the patches directory on your favorite mirror. You should NOT NOT NOT mix -current packages with a non "-current" Slackware.
Hey! Wanna build Samba? Get the source, get the slackbuild, make a package and install it!
I used the latest build from the 3.0.x fork since this comes with Slackware 12.x.
You can also try building Samba 3.2.x. If you want a optimized build with a better performance that suits your system, you should consider installing GCC >4.2.4 since it supports better optimizing functions (-march=native - specifying -march=native implies -mtune=native. This will enable all instruction subsets supported by the local machine (hence the result might not run on different machines).) and use Samba 3.2.x cause it has a better overall performance. Only do this if you know what you are doing!
- Get the source + SlackBuild, edit it and build the package...
$ mkdir /tmp/samba $ cd /tmp/samba $ wget http://us3.samba.org/samba/ftp/stable/samba-3.0.31.tar.gz ... $ wget -r -nH ftp://slackware.osuosl.org/pub/slackware/slackware-current/source/n/samba $ jed samba.SlackBuild > VERSION=3.0.30 >> VERSION=3.0.31 > tar xjvf $CWD/samba-$VERSION.tar.bz2 >> tar xfvz $CWD/samba-$VERSION.tar.gz $ chmod +x samba.SlackBuild $ ./samba.SlackBuild $ upgradepkg /tmp/samba-3.0.31-i486-1.tgz
There are a few requirments i had for this config.
- Guest access from Windows without the need for a password
- Guests are only allowed to read and have no home directory (eg. /home/guest)
- Guests are only allowed to put new files in a given directory
- Make everything secure as it can get with this config
- Users on the system have access to their home directory
- No Printing at all
- Disable NetBios, we only have Windows XP or higher / *nix
- Maybe more?
This is my own smb.conf as i use it on my system.
The config file itself should be selfexplaining.
smb.conf /w comments
#smb.conf - v1.1 # # Samba-3.0.30 - Slackware 12.x # e.v.o ( e.v.o [A-T] gmx.net ) # # ; COMMENT # #PARAMETER ( name = default value ) # Normally every parameter should have its default value. # If the parameter is commented out then it is the default value, # otherwise you should have a look at "man smb.conf" # # This config is based on the smb.conf manual page # and "Using Samba, 3rd Edition" from O'Reilly # # VARIABLE SUBSTITUTIONS ; %U session username ; %G primary group name of %U ; %h the Internet hostname that Samba is running on ; %m the NetBIOS name of the client machine (very useful) ; %L the NetBIOS name of the server ; %M the Internet name of the client machine ; %R the selected protocol level after protocol negotiation ; %d the process id of the current server process ; %a the architecture of the remote machine ; %I the IP address of the client machine ; %i the local IP address to which a client connected ; %T the current date and time ; %D name of the domain or workgroup of the current user ; %w the winbind separator ; %v Samba version number ; ; The following substitutes apply only to some configuration options ; Only those that are used when a connection has been established ; ; %S the name of the current service, if any ; %P the root directory of the current service, if any ; %u username of the current service, if any ; %g primary group name of %u ; %H the home directory of the user given by %u ; %N the name of your NIS home directory server ; %p the path of the service's home directory [global] ; Parameters in this section apply to the server as a whole ; ### USERSHARES ### # Capability for non-root users to ; ==================== # add/modify/delete own share definitions ; ; Controls if usershares can permit guest access #usershare allow guests = ; Maximum number of user defined shares allowed #usershare max shares = ; If set only directories owned by the sharing user can be shared #usershare owner only = ; Directory containing the user defined share definitions #usershare path = ; Comma-separated list restricting what directories can be shared #usershare prefix allow list = ; Comma-separated list restricting what directories can be shared #usershare prefix deny list = ; Pre-existing share used as a template for creating new usershares #usershare template share = ; ### NAME MANGLING ### # By default, Samba has the same ; ======================= # semantics as a Windows NT server ; ; Filenames are case sensitive #case sensitive = auto ; Default case for new filenames #default case = lower ; New files are created with the case that the client passes #preserve case = yes ; New files which conform to 8.3 syntax are created upper case #short preserve case = yes ; ### PRINTING ### ; ================== ; ; All printers in the printcap will be loaded for browsing by default load printers = no ; Only applicable if printing is set to cups. #cups server = "" ; Show the "Add Printer Wizard" Dialog show add printer wizard = no ; Yes = open, write to and submit spool files on the specified directory printable = no ; =============================== ; # - S E T T I N G S - # ; =============================== ; \-= USER SCRIPTS =-/ # These scripts are used on a PDC or stand-alone ; ==================== # machine to add or delete corresponding unix accounts ; Script that will be run when a new group is requested #add group script = /usr/sbin/groupadd %g ; Script that will be run when a machine is added to Samba's domain #add machine script = /usr/sbin/adduser -s /bin/false -d /dev/null %u -n -g machines -c Machine ; Script which will add a new service definition to smb.conf #add share command = ; Script which will add a new user #add user script = /usr/sbin/useradd -m %u ; Script that will be called when a user is added to a group #add user to group script = /usr/sbin/usermod -G %g %u ; Script which will modify an existing service definition in smb.conf #change share command = ; Script when a group is requested to be deleted #delete group script = /usr/sbin/groupdel %g ; Script when a user is removed from a group using the Windows NT domain administration tools #delete user from group script = /usr/sbin/deluser %u %g ; Script that will be run when managing users with remote RPC (NT) tools #delete user script = /usr/sbin/userdel -r %u ; Script that will be run under special circumstances #rename user script = no ; This script sets the primary group in the unix userdatase when an administrator sets the ; primary group from the windows user manager or when fetching a SAM with net rpc vampire #set primary group script = /usr/sbin/usermod -g '%g' '%u' ; Program that can be used to set UNIX user passwords #passwd program = /usr/bin/passwd %u ; Controls the "chat" conversation between smbd and the local password changing program #passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*" ; \-= PERMISSION MASKS =-/ ; ======================== #inherit owner = no #inherit permissions = no #directory mask = 0755 #directory security mask = 0777 #force create mode = 000 #force directory mode = 000 #force directory security mode = 0 #force security mode = 0 #security mask = 0777 ; \-= USER PARAMETER =-/ ; ====================== ; List of users who will be granted administrative privileges on the share admin users = evo ; This is a list of users that should be allowed to login to this service valid users = evo guest ; This is a list of users that should not be allowed to login to this service invalid users = root nobody ftp adm apache bin daemon games gdm haldaemon halt lp mail messagebus mysql news operator pop rpc shutdown smmsp sshd sync uucp ; This is a list of users that are given read-only access to a service read list = evo guest ; This is a list of users that are given read-write access to a service write list = evo ; -= Guest Settings =- ; Username which will be used for access to services which are specified as guest ok guest account = guest ; Yes for a service, then no password is required to connect to the service guest ok = no ; Yes for a service, then only guest connections to the service are permitted guest only = no ; -= Forced User/Group Settings =- ; UNIX user name that will be assigned as the default user for all users ;force user = guest ; UNIX group name that will be assigned as the default primary group for all users force group = users ; -= Map Settings =- ; Specify a file containing a mapping of usernames from the clients to the server #username map = ; #map acl inherit = no #map archive = yes #map hidden = #map read only = yes #map system = no map to guest = Bad User ; \-= SHARE PARAMETER =-/ ; ======================= ; Lets you "turn off" a service. If available = no, then ALL attempts to connect to the service will fail available = yes ; Controls whether this share is seen in the list of available shares in a net view and in the browse list browseable = yes ; Allow or disallow client access to accounts that have null passwords #null password = no ; If this parameter is yes, then users of a service may not create or modify files in the service's directory read only = yes ; Setting this parameter to no prevents any file or directory that is a symbolic link from being followed follow symlinks = no ; This parameter controls whether or not links in the UNIX file system may be followed by the server wide links = no ; This parameter specifies the name of a service which will be connected to if the service actually requested cannot be found #default service = ; This parameter allows you to specify a comma-delimited list of directories that the server should always show as empty dont descend = /bin,/boot,/dev,/etc,/lib,/opt,/proc,/sbin,/srv,/sys,/tmp,/usr,/var ; -= Hide Files =- ; This is a boolean parameter that controls whether files starting with a dot appear as hidden files #hide dot files = yes ; This is a list of files or directories that are not visible but are accessible #hide files = ; This parameter prevents clients from seeing special files such as sockets, devices and fifo's in directory listings #hide special files = no ; This parameter prevents clients from seeing the existance of files that cannot be read #hide unreadable = no ; This parameter prevents clients from seeing the existance of files that cannot be written to #hide unwriteable files = no ; \-= WINDOWS PARAMETER =-/ ; ========================= ; Specifies the charset that samba will use to print messages to stdout and stderr #display charset = "LOCALE" or "ASCII" (depending on the system) ; This option specifies which charset Samba should talk to DOS clients #dos charset = # No default ; Enabling this parameter allows a user who has write access to the file (by whatever means) to modify the permissions #dos filemode = no ; \-= NETWORK/CONNECTION PARAMETER =-/ ; ==================================== ; This controls what workgroup your server will appear to be in when queried by clients workgroup = KlingKlang ; This controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view server string = FileDealer ; This sets the NetBIOS name by which a Samba server is known netbios name = FileDealer #netbios aliases = ; -= Interface Settings =- ; This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service hosts allow = 127.0.0.1 192.168. hosts deny = ALL ; -= Connection Options =- ; Represents the number of minutes of inactivity before a connection is considered dead and disconnected #deadtime = 0 ; The value of the parameter (an integer) represents the number of seconds between keepalive packets #keepalive = 300 ; This option allows the number of simultaneous connections to a service #max connections = 0 ; This option allows you to set socket options to be used when talking with the client socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 ; \-= OTHER PARAMETER =-/ ; ======================= security = user ; Enabling this parameter will disable netbios support in Samba disable netbios = yes ; Do a lookup with the DNS server dns proxy = no ; -= SMBpasswd Settings =- ; This option allows the administrator to chose which backend will be used for storing user and possibly group information #passdb backend = smbpasswd:/etc/samba/private/smbpasswd ; This option sets the path to the encrypted smbpasswd file #smb passwd file = /etc/samba/private/smbpasswd ; -= Directory Settings =- ; This option specifies the directory where lock files will be placed #lock directory = /var/lock ; This parameters defines the directory smbd will use for storing such files as smbpasswd and secrets.tdb #private dir = /etc/samba/private ; -= Logging Settings =- ; This option allows you to override the name of the Samba log file log file = /var/log/samba/samba.%m ; This option (an integer in kilobytes) specifies the max size the log file should grow to max log size = 5000 ; Parameter maps how Samba debug messages are logged onto the system #syslog = 1 ; Parameter is set then Samba debug messages are logged into the system syslog only #syslog only = no ; Using the following line enables you to customise your configuration on a per machine ; basis. The %m gets replaced with the netbios name of the machine that is connecting. ; Note: Consider carefully the location in the configuration file of ; this line. The included file is read at that point. #include = /etc/samba/smb.conf.%m ; =========================== ; # - S H A R E S - # ; =========================== [homes] comment = Eigene Dateien guest ok = yes read only = no browseable = no [printers] comment = Drucker path = /var/spool/samba browseable = no available = no guest ok = no printable = yes [BitHalde] comment = 3TB path = /mnt/raid guest ok = yes read only = yes
smb.conf w/o comments
[global] workgroup = KLINGKLANG server string = FileDealer map to guest = Bad User guest account = guest log file = /var/log/samba/samba.%m disable netbios = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 load printers = No show add printer wizard = No dns proxy = No invalid users = root, nobody, ftp, adm, apache, bin, daemon, games, gdm, haldaemon, halt, lp, mail, messagebus, mysql, news, operator, pop, rpc, shutdown, smmsp, sshd, sync, uucp valid users = evo, guest admin users = evo read list = evo, guest write list = evo force group = users hosts allow = 127.0.0.1, 192.168. hosts deny = ALL wide links = No follow symlinks = No dont descend = /bin,/boot,/dev,/etc,/lib,/opt,/proc,/sbin,/srv,/sys,/tmp,/usr,/var [homes] comment = Eigene Dateien read only = No guest ok = Yes browseable = No [printers] comment = Drucker path = /var/spool/samba printable = Yes browseable = No available = No [BitHalde] comment = 3TB path = /mnt/raid guest ok = Yes
In this section we will have a look on how to use, start and restart samba
Testing and Troubleshooting
In this section we will have a look on how we test our configuration and what to do if we ran into problems.
testparm — check an smb.conf configuration file for internal correctness
- If your done with the setup of your smb.conf you should run testparm. Do this by simply typing it ;)
$ testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" NOTE: Service printers is flagged unavailable. Processing section "[BitHalde]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions
- Normally this is what the output should look like. By pressing enter you will get a list of all used parameters in smb.conf.
- If you wish to have a complete list of all options and how they are set:
$ testparm -v
smbclient — ftp-like client to access SMB/CIFS resources on servers
- Connecting as a guest and list all shares
$ smbclient -L localhost -N Domain=[FILEDEALER] OS=[Unix] Server=[Samba 3.0.30] Sharename Type Comment --------- ---- ------- BitHalde Disk 3TB IPC$ IPC IPC Service (FileDealer) Domain=[FILEDEALER] OS=[Unix] Server=[Samba 3.0.30] Server Comment --------- ------- Workgroup Master --------- ------- KLINGKLANG FILEDEALER
-L host This option allows you to look at what services are available on a server.
-N Suppresses the normal password prompt. Useful when accessing a service that does not require a password.
- Connecting with a specified username and list all shares
$ smbclient -L localhost -U evo Password: Domain=[FILEDEALER] OS=[Unix] Server=[Samba 3.0.30] Sharename Type Comment --------- ---- ------- BitHalde Disk 3TB IPC$ IPC IPC Service (FileDealer) evo Disk Eigene Dateien Domain=[FILEDEALER] OS=[Unix] Server=[Samba 3.0.30] Server Comment --------- ------- Workgroup Master --------- ------- KLINGKLANG FILEDEALER
-U Sets the SMB username or username and password.
- alle user eintragen (cat /etc/passwd | cut -d':' -f1 | sort)
- user scripte vervollständigen
- masken richten + upload beim gast/evo gehört root? warum das?
- was ist mit umlauten?
- --> wie starten? rc.samba
- Testmethoden aus dem samba buch einfügen