http://oreilly.com/openbook/samba/book/ch08_03.html && for char set
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
<<Samba.Note>> font size 9 , bold
<< client >>
smbstatus
web : http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
vi \etc\sysconfig\i18n ## for font's setting
#LANG.....
rpm -qa | grep samba
service smb status
yum install -y smb
service smb stop ; service smb restart ; service smb start ; service nmb start
chkconfig --level 2345 smb ; chkconfig --level 2345 nmb; chkconfig --list | grep smb
iptables -nL ; service iptables stop
iptables -I INPUT -p tcp -m multiport --dports 137,138,139,445 -j ACCEPT
service iptables save ; service iptables start
useradd UserName ; passwd Password ; smbpasswd -a UserName
useradd -G users smb3
echo 1234 | passwd --stdin smb1
mkdir /Folder
chmod 2770 /Folder
chcon -t samba_share_t /Folder
## << smb.conf >> ##
/etc/samba/smb.conf
[golbal]
unix password sync = yes <==讓 Samba 與 Linux 密碼同步
passwd program = /usr/bin/passwd %u <==以 root 呼叫修改密碼的指令
pam password change = yes <==並且支援 pam 模組!
security = share | user | domain ## share:不需要密碼 user :使用 SAMBA 伺服器本身 ,domain:使用外部
password server = IP ## when security = domain
encrypt passwords = Yes
passdb backend = 資料庫格式 預設的檔案則放置到 /var/lib/samba/private/passwd.tdb
unix extensions = no ## it is must when using symbolic link
workgroup = DomainName
wins support = yes
domain master = yes
domain logons = yes
logon drive = K:
logon script = startup.bat <==每個使用者登入後會自動執行的程式
time server = yes <==自動調整 Windows 時間與 Samba 同步
admin users = root <==預設的管理員帳號!預設為 root
logon path = \\%N\%U\profile <==使用者的個人化設定
logon home = \\%N\%U
# testparm ## list the samba config
[ShareName]
comment = Network Logon Service
path = /SharePath
writable = no
read only = no ## 最後出現的那個設定值為主要的設定
writable = no
write list = root ## writelist = 使用者, @群組
guest ok = yes
force create mode = 2770
force directory mode =2770
browseable = no
follow symlinks = yes ## for symbolic link
wide links = yes ## for symbolic link
unix extensions = no
[billsdir]
valid users = bill, tackett, myuid
read only = yes
write list = bill, tackett, myuid
#smbpasswd -a root
#useradd -s /bin/false diskstation$
<< windows workStation >>
c:\>sysdm.cpl -> computerName -> Change -> Network i.e. input DomainName > UserName >Password
c:\>ncpa.cpl -> Network > Property > General > TcpIP > Property > Advance > wins [Linux.ipNumber]
gedit.msc 電腦設定.Windows 設定 .安全性設定 .軟體限制原則 && allow run Bat and EXE
edit %SystemRoot%\System32\Drivers\Etc\lmhosts
10.0.0.1 PDCNAME #PRE #DOM:DOMAIN_NAME && case sensitive
10.0.0.1 "DOMAIN_NAME \0x1b" #PRE && case sensitive
[golbal]
unix password sync = yes <==讓 Samba 與 Linux 密碼同步
passwd program = /usr/bin/passwd %u <==以 root 呼叫修改密碼的指令
pam password change = yes <==並且支援 pam 模組!
security = share | user | domain ## share:不需要密碼 user :使用 SAMBA 伺服器本身 ,domain:使用外部
password server = IP ## when security = domain
encrypt passwords = Yes
passdb backend = 資料庫格式 預設的檔案則放置到 /var/lib/samba/private/passwd.
unix extensions = no ## it is must when using symbolic link
workgroup = DomainName
wins support = yes
domain master = yes
domain logons = yes
logon drive = K:
logon script = startup.bat <==每個使用者登入後會自動執行的程式
time server = yes <==自動調整 Windows 時間與 Samba 同步
admin users = root <==預設的管理員帳號!預設為 root
logon path = \\%N\%U\profile <==使用者的個人化設定
logon home = \\%N\%U
===================================================================
smbpasswd
"testparm" command after modifying this file to check for basic syntax errors.
setsebool -P samba_domain_controller on
setsebool -P samba_enable_home_dirs on
"ls -ldZ /path/to/directory" command to view the current SELinux # label for a given directory.
chcon -t samba_share_t /path/to/directory
setsebool -P samba_export_all_ro on ## To share such directories and only allow read-only permissions:
setsebool -P samba_export_all_rw on ## To share such directories and allow read and write permissions:
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
SETTING
unix extensions = no
workgroup = MYGROUP
server string = Samba Server Version %v
netbios name = MYSERVER
interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
hosts allow = 127. 192.168.12. 192.168.13.
# ----------------------- Standalone Server Options ------------------------
security = share | user ## i.e.
passdb backend = tdbsam | ldapsam
# ----------------------- Domain Members Options ------------------------
# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
; security = user
; passdb backend = tdbsam
; domain master = yes
; domain logons = yes
# the following login script name is determined by the machine name
# (%m):
; logon script = %m.bat
# the following login script name is determined by the UNIX user used:
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
; logon path =
# various scripts can be used on a domain controller or a stand-alone
# machine to add or delete corresponding UNIX accounts:
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g";
Samba is a daemon you can use on a Linux or BSD box to serve shared files with windows systems. Samba is also significantly more robust than NFS and can be used
Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is freely available, unlike other SMB/CIFS implementations, and allows for interoperability between Linux/Unix servers and Windows-based clients.
Samba is software that can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the TCP/IP protocol that is installed on the host server. When correctly configured, it allows that host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.
The goal behind the project is one of removing barriers to interoperability. Samba.org
IMPORTANT: Make sure to also check out the Samba Optimization and Speed Tuning for Performance page. Samba, like any other program can always use a little speed boost.
Getting Started
In this excersise we are going to be setting up a very simple samba server on a openbsd box. It will server out data from two(2) directories. The "archive" directory will be read only for items we want everyone to see, but never change. The "incoming" directory will be read/write for all users. Sort of a /tmp on a windows share allowing users to make data available to others. The incoming directory will also be a place the windows machines can put data that an admin can move to the archive section manually. This is a perfect solution for a home LAN or small corporate network.
Here is the smb.conf file in a scrollable window. Before using the config file take a look it below. You are welcome to cut/paste this smb.conf for your server.
#######################################################
### Calomel.org smb.conf BEGIN
#######################################################
#============= Global Settings =======================#
[global]
bind interfaces only = yes
deadtime = 15
default case = lower
disable netbios = yes
dns proxy = no
domain master = yes
encrypt passwords = true
guest ok = yes
guest only = yes
hosts allow = 10.10.10.0/255.255.255.255 127.0.0.1
hosts deny = all
interfaces = em1
invalid users = nobody root
load printers = no
max connections = 10
netbios name = samba
preferred master = yes
preserve case = no
printable = no
security = share
server string = Samba Share
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
strict sync = no
sync always = no
syslog = 1
syslog only = yes
workgroup = WORKGROUP
#============ Share Definitions =======================#
[incoming]
create mask = 0400
directory mask = 0700
path = /big_disk/incoming
writeable = yes
[archive]
path = /big_disk/archive
writeable = no
#######################################################
### Calomel.org smb.conf END
#######################################################
Configuration options: step by step
bind interfaces only = yes say that samba will only bind to the default ip of an interface.
deadtime = 15 is the amount of minutes samba will concider an idle connection with a windows machine to be dead.
default case = lower means all file and directory names will be forced into lower case format.
disable netbios = yes we do not need netbios broadcasts for the windows shares so we can disable it. Our clients will be told where the share is located. Clients that only support netbios won't be able to see your samba server when netbios support is disabled.
dns proxy = no is disabled. If enabled, this specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.
domain master = yes this means the samba server will take over as the "domain master" no mater what the vote is from windows machines. On the test network the samba server is the only server so this is fine. Tell smbd(8) to enable WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. Local master browsers in the same workgroup on broadcast-isolated subnets will give this nmbd their local browse lists, and then ask smbd(8) for a complete copy of the browse list for the whole wide area network. Browser clients will then contact their local master browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.
encrypt passwords = true you will need to encrypt passwords to talk to windows 200/xp/vista machines. This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter "User Database" in the Samba HOWTO Collection. MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encrypted password support enabled and for which the user accounts have a valid encrypted password. Refer to the smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts. The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products. If you want to use plain text passwords you must set this parameter to no.
guest ok = yes allow "guest" access on the samba share. This mean users will _not_ have to log in.
guest only = yes all machines accessing the shares will be guests.
hosts allow = 10.10.10.0/255.255.255.255 127.0.0.1 We are going to allow the entire 10.10.10/24 network as well as localhost.
hosts deny = all is to deny any host not listed in "hosts allow".
interfaces = em1 says that we want to bind to the interface em1. Note: if we also used "bind interfaces only" then samba will bind to the primary ip on the em1 interface.
invalid users = admin_user root No windows share should ever try to log in with the names "admin_user" or "root".
load printers = no in the example we do not have any printers, so we will disable this feature. By disabling printers the share will not show up to the clients and this reduces confusion.
max connections = 10 limits the amount of clients samba will allow access to, to no more than 10.
netbios name = samba is the name in the "()" windows clients will see. If the name of our server was "Samba Share (samba)".
preferred master = yes says that the samba server will always win the vote for the master server on a windows network. This boolean parameter controls if nmbd(8) is a preferred master browser for its workgroup. If this is set to yes, on startup, nmbd will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with domain master = yes, so that nmbd can guarantee becoming a domain master. Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing capabilities.
preserve case = no goes with "default case = lower" and means samba will not keep the uppper case characters.
printable = no goes with "load printers = no" as we do not have any printers on this server.
security = share is the security level of the windows shares. With share-level security, the server accepts only a password without an explicit username from the client. The server expects a password for each share, independent of the username. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. Samba developers strongly discourage use of share-level security.
server string = Samba Share is the name windows clients will see. If the name of our server was "Samba Share (samba)".
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 are specifically speed up options for samba to windows connectivity. Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned. This option will typically be used to tune your Samba server for optimal performance for your local network. There is no way that Samba can know what the optimal parameters are for your net, so you must experiment and choose them yourself. We strongly suggest you read the appropriate documentation for your operating system first (perhaps man setsockopt will help). You may find that on some systems Samba will say "Unknown socket option" when you supply an option. This means you either incorrectly typed it or you need to add an include file to includes.h for your OS. Any of the supported socket options may be combined in any way you like, as long as your OS allows it.
strict syn = no and sync always = no are disabled to speed up samba. Strict syncing is normally used if you are paranoid about data lose in the transfer of files. We have never seen this problem in the real world.
syslog = 1 says we are going to log to the syslog fascility.
syslog only = yes means that only the syslog facility will be receiving logs from samba.
workgroup = WORKGROUP This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain setting.
Share Definitions
incoming: The masks are the creating permissions for new files and directories. The directive "path" is the mount point samba will allow clients to see. "writeable = yes" means this mount point is read/write enabled.
archive: The directive "path" is the mont point samba will allow clients to see and "writeable = no" means this is a read only share.
Starting the install
Step 1: Install samba from package or from source. For the example we are using the package from OpenBSD which is Samba v3.01.
Step 2: Place the smb.conf file from above into the /etc/samba/ directory named smb.conf . You should backup the default smb.conf file the package places there for future reference if you want to.
Step 3: Setup the directories we are going to share files from. The two directories "archive" and "incoming" are under /big_disk in the example. The windows machines are going to access samba shares as the "nobody" user. Thusly, all files and directories we want the windows share to access must be accessible by the user "nobody". For admin purposes we also are going to use the user "admin_user". The admin_user can do cleanup and move files from "incoming" to "archive" for read only access if needed.
achive: chmod 750 and chown admin_user:nobody
incoming: chmod 770 and chown admin_user:nobody
This is what our example structure would look like.
admin_user@machine: ls -la /big_disk/
drwxr-xr-x 11 root wheel 512 Jan 10 10:20 .
drwxr-xr-x 16 root wheel 512 Jan 10 10:20 ..
drwxr-x--- 8 admin_user nobody 512 Jan 10 10:20 archive
drwxrwx--- 2 admin_user nobody 512 Jan 10 10:20 incoming
Executing the deamon
To start samba now that it is installed and the smb.conf from above is in place we can use the following lines. Two daemons actually make up the samba service, smbd and nmbd. You can execute the following lines by hand to start samba now.
/usr/local/libexec/smbd /etc/samba/smb.conf
/usr/local/libexec/nmbd /etc/samba/smb.conF
To start samba at boot, place the following in your /etc/rc.local
# samba ( /etc/rc.local )
if [ -x /usr/local/libexec/smbd ]; then
echo -n ' samba'
/usr/local/libexec/smbd /etc/samba/smb.conf
/usr/local/libexec/nmbd /etc/samba/smb.conf
fi
Re-read the smb.conf after making any changes
After you make any modifications to the smb.conf file you will need to notify the smbd and nmbd daemons of the changes. To do this, you can restart Samba by manually killing smbd/nmbd and starting them again or send a HUP to smbd/nmbd. The HUP will tell both daemons to reread the config file without actually having to restart. Either option will work.
## Option: manually kill and start on OpenBSD
pkill smbd;pkill nmbd
/usr/local/libexec/smbd /etc/samba/smb.conf
/usr/local/libexec/nmbd /etc/samba/smb.conf
## Option: HUP on OpenBSD
kill -HUP `cat /var/run/smbd.pid`
kill -HUP `cat /var/run/nmbd.pid`
Mounting a smbfs/cifs network export
To mount the samba partion to a linux or BSD box on the network you can use the following line. Place it in the /etc/fstab on the machine you want to mount from.
In this example we have two machines, samba_box which runs samba and another machine called BSD_box where we want to see the files from. This line will mount the directory /big_disk/archive from //samba_box to /dir_name on BSD_box. The mount will be read only and log in as guest. This works fine with the example smb.conf from above.
## /etc/fstab
## Samba mount (from BSD_box to samba_box)
//samba_box/big_disk/archive /dir_name cifs ro,username=guest,password=guest 0 0
Questions?
How about optimizations and speed improvemnts for samba?
Make sure to check out the calomel.org Samba Optimization and Speed Tuning. Many of the speed options are already in the example, but if you add more functionality make sure to check what to watch out for. There are options you could add that will slow samba significantly.
How can I log what files are accessed what is done with those files and by whom?
You need to use at least samba-2.2.7a and use the audit.so module. The samba source code has what you need. Check out the information in ~samba/examples/VFS/audit.c and in the README file in that directory.
===================================================================
smbpasswd
"testparm" command after modifying this file to check for basic syntax errors.
setsebool -P samba_domain_controller on
setsebool -P samba_enable_home_dirs on
"ls -ldZ /path/to/directory" command to view the current SELinux # label for a given directory.
chcon -t samba_share_t /path/to/directory
setsebool -P samba_export_all_ro on ## To share such directories and only allow read-only permissions:
setsebool -P samba_export_all_rw on ## To share such directories and allow read and write permissions:
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
SETTING
unix extensions = no
workgroup = MYGROUP
server string = Samba Server Version %v
netbios name = MYSERVER
interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
hosts allow = 127. 192.168.12. 192.168.13.
# ----------------------- Standalone Server Options ------------------------
security = share | user ## i.e.
passdb backend = tdbsam | ldapsam
# ----------------------- Domain Members Options ------------------------
# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
; security = user
; passdb backend = tdbsam
; domain master = yes
; domain logons = yes
# the following login script name is determined by the machine name
# (%m):
; logon script = %m.bat
# the following login script name is determined by the UNIX user used:
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
; logon path =
# various scripts can be used on a domain controller or a stand-alone
# machine to add or delete corresponding UNIX accounts:
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g";
Samba is a daemon you can use on a Linux or BSD box to serve shared files with windows systems. Samba is also significantly more robust than NFS and can be used
Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba is freely available, unlike other SMB/CIFS implementations, and allows for interoperability between Linux/Unix servers and Windows-based clients.
Samba is software that can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the TCP/IP protocol that is installed on the host server. When correctly configured, it allows that host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.
The goal behind the project is one of removing barriers to interoperability. Samba.org
IMPORTANT: Make sure to also check out the Samba Optimization and Speed Tuning for Performance page. Samba, like any other program can always use a little speed boost.
Getting Started
In this excersise we are going to be setting up a very simple samba server on a openbsd box. It will server out data from two(2) directories. The "archive" directory will be read only for items we want everyone to see, but never change. The "incoming" directory will be read/write for all users. Sort of a /tmp on a windows share allowing users to make data available to others. The incoming directory will also be a place the windows machines can put data that an admin can move to the archive section manually. This is a perfect solution for a home LAN or small corporate network.
Here is the smb.conf file in a scrollable window. Before using the config file take a look it below. You are welcome to cut/paste this smb.conf for your server.
#######################################################
### Calomel.org smb.conf BEGIN
#######################################################
#============= Global Settings =======================#
[global]
bind interfaces only = yes
deadtime = 15
default case = lower
disable netbios = yes
dns proxy = no
domain master = yes
encrypt passwords = true
guest ok = yes
guest only = yes
hosts allow = 10.10.10.0/255.255.255.255 127.0.0.1
hosts deny = all
interfaces = em1
invalid users = nobody root
load printers = no
max connections = 10
netbios name = samba
preferred master = yes
preserve case = no
printable = no
security = share
server string = Samba Share
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
strict sync = no
sync always = no
syslog = 1
syslog only = yes
workgroup = WORKGROUP
#============ Share Definitions =======================#
[incoming]
create mask = 0400
directory mask = 0700
path = /big_disk/incoming
writeable = yes
[archive]
path = /big_disk/archive
writeable = no
#######################################################
### Calomel.org smb.conf END
#######################################################
Configuration options: step by step
bind interfaces only = yes say that samba will only bind to the default ip of an interface.
deadtime = 15 is the amount of minutes samba will concider an idle connection with a windows machine to be dead.
default case = lower means all file and directory names will be forced into lower case format.
disable netbios = yes we do not need netbios broadcasts for the windows shares so we can disable it. Our clients will be told where the share is located. Clients that only support netbios won't be able to see your samba server when netbios support is disabled.
dns proxy = no is disabled. If enabled, this specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.
domain master = yes this means the samba server will take over as the "domain master" no mater what the vote is from windows machines. On the test network the samba server is the only server so this is fine. Tell smbd(8) to enable WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. Local master browsers in the same workgroup on broadcast-isolated subnets will give this nmbd their local browse lists, and then ask smbd(8) for a complete copy of the browse list for the whole wide area network. Browser clients will then contact their local master browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.
encrypt passwords = true you will need to encrypt passwords to talk to windows 200/xp/vista machines. This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter "User Database" in the Samba HOWTO Collection. MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encrypted password support enabled and for which the user accounts have a valid encrypted password. Refer to the smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts. The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products. If you want to use plain text passwords you must set this parameter to no.
guest ok = yes allow "guest" access on the samba share. This mean users will _not_ have to log in.
guest only = yes all machines accessing the shares will be guests.
hosts allow = 10.10.10.0/255.255.255.255 127.0.0.1 We are going to allow the entire 10.10.10/24 network as well as localhost.
hosts deny = all is to deny any host not listed in "hosts allow".
interfaces = em1 says that we want to bind to the interface em1. Note: if we also used "bind interfaces only" then samba will bind to the primary ip on the em1 interface.
invalid users = admin_user root No windows share should ever try to log in with the names "admin_user" or "root".
load printers = no in the example we do not have any printers, so we will disable this feature. By disabling printers the share will not show up to the clients and this reduces confusion.
max connections = 10 limits the amount of clients samba will allow access to, to no more than 10.
netbios name = samba is the name in the "()" windows clients will see. If the name of our server was "Samba Share (samba)".
preferred master = yes says that the samba server will always win the vote for the master server on a windows network. This boolean parameter controls if nmbd(8) is a preferred master browser for its workgroup. If this is set to yes, on startup, nmbd will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with domain master = yes, so that nmbd can guarantee becoming a domain master. Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing capabilities.
preserve case = no goes with "default case = lower" and means samba will not keep the uppper case characters.
printable = no goes with "load printers = no" as we do not have any printers on this server.
security = share is the security level of the windows shares. With share-level security, the server accepts only a password without an explicit username from the client. The server expects a password for each share, independent of the username. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. Samba developers strongly discourage use of share-level security.
server string = Samba Share is the name windows clients will see. If the name of our server was "Samba Share (samba)".
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 are specifically speed up options for samba to windows connectivity. Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned. This option will typically be used to tune your Samba server for optimal performance for your local network. There is no way that Samba can know what the optimal parameters are for your net, so you must experiment and choose them yourself. We strongly suggest you read the appropriate documentation for your operating system first (perhaps man setsockopt will help). You may find that on some systems Samba will say "Unknown socket option" when you supply an option. This means you either incorrectly typed it or you need to add an include file to includes.h for your OS. Any of the supported socket options may be combined in any way you like, as long as your OS allows it.
strict syn = no and sync always = no are disabled to speed up samba. Strict syncing is normally used if you are paranoid about data lose in the transfer of files. We have never seen this problem in the real world.
syslog = 1 says we are going to log to the syslog fascility.
syslog only = yes means that only the syslog facility will be receiving logs from samba.
workgroup = WORKGROUP This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain setting.
Share Definitions
incoming: The masks are the creating permissions for new files and directories. The directive "path" is the mount point samba will allow clients to see. "writeable = yes" means this mount point is read/write enabled.
archive: The directive "path" is the mont point samba will allow clients to see and "writeable = no" means this is a read only share.
Starting the install
Step 1: Install samba from package or from source. For the example we are using the package from OpenBSD which is Samba v3.01.
Step 2: Place the smb.conf file from above into the /etc/samba/ directory named smb.conf . You should backup the default smb.conf file the package places there for future reference if you want to.
Step 3: Setup the directories we are going to share files from. The two directories "archive" and "incoming" are under /big_disk in the example. The windows machines are going to access samba shares as the "nobody" user. Thusly, all files and directories we want the windows share to access must be accessible by the user "nobody". For admin purposes we also are going to use the user "admin_user". The admin_user can do cleanup and move files from "incoming" to "archive" for read only access if needed.
achive: chmod 750 and chown admin_user:nobody
incoming: chmod 770 and chown admin_user:nobody
This is what our example structure would look like.
admin_user@machine: ls -la /big_disk/
drwxr-xr-x 11 root wheel 512 Jan 10 10:20 .
drwxr-xr-x 16 root wheel 512 Jan 10 10:20 ..
drwxr-x--- 8 admin_user nobody 512 Jan 10 10:20 archive
drwxrwx--- 2 admin_user nobody 512 Jan 10 10:20 incoming
Executing the deamon
To start samba now that it is installed and the smb.conf from above is in place we can use the following lines. Two daemons actually make up the samba service, smbd and nmbd. You can execute the following lines by hand to start samba now.
/usr/local/libexec/smbd /etc/samba/smb.conf
/usr/local/libexec/nmbd /etc/samba/smb.conF
To start samba at boot, place the following in your /etc/rc.local
# samba ( /etc/rc.local )
if [ -x /usr/local/libexec/smbd ]; then
echo -n ' samba'
/usr/local/libexec/smbd /etc/samba/smb.conf
/usr/local/libexec/nmbd /etc/samba/smb.conf
fi
Re-read the smb.conf after making any changes
After you make any modifications to the smb.conf file you will need to notify the smbd and nmbd daemons of the changes. To do this, you can restart Samba by manually killing smbd/nmbd and starting them again or send a HUP to smbd/nmbd. The HUP will tell both daemons to reread the config file without actually having to restart. Either option will work.
## Option: manually kill and start on OpenBSD
pkill smbd;pkill nmbd
/usr/local/libexec/smbd /etc/samba/smb.conf
/usr/local/libexec/nmbd /etc/samba/smb.conf
## Option: HUP on OpenBSD
kill -HUP `cat /var/run/smbd.pid`
kill -HUP `cat /var/run/nmbd.pid`
Mounting a smbfs/cifs network export
To mount the samba partion to a linux or BSD box on the network you can use the following line. Place it in the /etc/fstab on the machine you want to mount from.
In this example we have two machines, samba_box which runs samba and another machine called BSD_box where we want to see the files from. This line will mount the directory /big_disk/archive from //samba_box to /dir_name on BSD_box. The mount will be read only and log in as guest. This works fine with the example smb.conf from above.
## /etc/fstab
## Samba mount (from BSD_box to samba_box)
//samba_box/big_disk/archive /dir_name cifs ro,username=guest,password=guest 0 0
Questions?
How about optimizations and speed improvemnts for samba?
Make sure to check out the calomel.org Samba Optimization and Speed Tuning. Many of the speed options are already in the example, but if you add more functionality make sure to check what to watch out for. There are options you could add that will slow samba significantly.
How can I log what files are accessed what is done with those files and by whom?
You need to use at least samba-2.2.7a and use the audit.so module. The samba source code has what you need. Check out the information in ~samba/examples/VFS/audit.c and in the README file in that directory.
沒有留言:
張貼留言