A group of global settings affects how file and print sharing are generally accomplished on a Samba server. These settings appear under the [global] heading in the /etc/samba/smb.conf file. To view and edit global variables, click the GLOBALS button on the SWAT window.
of options are available: base, security, logging, tuning, printing, browse, and WINs.
Each option relates to the exact parameters used in the /etc/samba/smb.conf file. You can refer to the smb.conf man page (type man smb.conf) to get more information on these parameters.
The following options relate to basic information associated with your Samba server:
■ Workgroup — The name of the workgroup associated with the group of SMB hosts. By default, the value for this field is WORKGROUP.
■ Realm — If you are using kerberos authentication, this value indicates the kerberos realm to use. Typically, that is reflected by the hostname of the server providing the service.
■ NetBIOS name — The name assigned to this Samba server. You can use the same name as your DNS hostname or make it blank, in which case the DNS hostname is used automatically. Your DNS hostname is filled in for you by default.
■ NetBIOS alias — Enables you to set a way of referring to a host computer (an alias) that is different from the host's TCP/IP DNS name.
■ Server string — A string of text identifying the server. This name appears in places such as the printer comment box. By default, it says Samba and the version number.
■ Interfaces —Enables you to set up more than one network interface and let Samba browse several different subnetworks. The form of this field can be IP Address/Subnetwork Mask. Or, you could identify a network interface (such as eth0 for the first Ethernet card on your computer). For example, a Class C network address may appear as:
192.168.24.11/255.255.255.0 Security Options
Of the security options settings, the first (Security) is the most important one to get right. It defines the type of security used to give access to the shared file systems and printers to the client computers. (To see some of the fields described here, you need to click the Advanced view.)
■ Security — Sets how password and user information is transferred to the Samba server from the client computer. As noted earlier, it's important to get this value right. Samba
Seven types versions 2.0 and later have a different default value for security (security = user) than the earlier versions of Samba do (security = share). If you are coming from an earlier version of Samba and clients are failing to access your server, this setting is a good place to start. Here are your options:
user — The most common type of security used to share files and printers among Windows 95/98/2000/NT/XP clients. It is the default set with Samba in the current release. This setting is appropriate if users are doing a lot of file sharing (as opposed to a Samba server used mostly as a print server). It requires that a user provide a username/ password before using the server. The easiest way to get this method working is to give a Linux user account to every client user who will use the Samba server, therefore providing basically the same file permissions to a user account through Samba as the same user would get if he or she were logged in directly to Linux.
share — The share value for security works best for just print sharing or for providing file access that is more public (guest sharing). A client doesn't need to provide a valid username and password to access the server. However, the user typically has a guest level of permission to access and change files. See the sidebar "Assigning Guest Accounts" in this chapter for further information.
server — From the clients point of view, this is the same as user security in that the client still has to provide a valid username/password combination to use the Samba server at all. The difference is on the server side. With server security, the username/ password is sent to another SMB server for validation. If that fails, Samba tries to validate the client using user security.
domain — From the clients point of view, this is the same as user security. This setting is used only if the Samba server has been added to a Windows NT domain (using the smbpasswd command). When a client tries to connect to the Samba server in this mode, its username and password are sent to a Windows NT Primary or Backup Domain controller. This is accomplished the same way that a Windows NT server would perform validation. Valid Linux user accounts must still be set up.
■ Encrypt passwords — Controls whether encrypted passwords can be negotiated with the client. This is on (Yes) by default. For domain security, this value must be Yes. Later versions of Windows NT (4.0 SP3 or later) and Windows 98 and Windows 2000 expect encrypted passwords to be on.
■ Update encrypted — Allows users who log in with a plain-text password to automatically have their passwords updated to encrypted passwords when they log in. Normally, this option is off. Turn it on when you want an installation using plain-text passwords to have everyone updated to encrypted password authentication. It saves users the trouble of running the smbpasswd command directly from the server. After everyone is updated, this feature can be turned off. When this option is on, the Encrypt passwords option should be set to No.
■ Obey PAM restrictions — Turn this on (Yes) if you want to use PAM for account and session management. Even if activated, PAM is not used if the encrypted passwords feature is turned on (encrypt passwords = yes). (PAM stands for Pluggable Authentication Modules and is used for authenticating host computers and users.)
■ PAM password change — Indicates to use the PAM password change control flag for Samba. If this is on (Yes), SMB clients will use PAM instead of the program listed in the Password Program value for changing SMB passwords.
■ Passwd program — Indicates which password program to use to change Linux user passwords. By default, /usr/bin/passwd is used, with the current username (%u) inserted.
■ Passwd chat — Sets the chat that goes on between the Samba daemon (smbd) and the Linux password program (/usr/bin/passwd by default) when smbd tries to synchronize SMB passwords with Linux user passwords.
■ UNIX password sync — With this on (Yes), Samba tries to update a user's Linux user password with his or her SMB password when the SMB password is changed. To do this, SMB runs the passwd command as the root user. This is on by default.
■ Guest account — Specifies the username for the guest account. When a service is specified as Guest OK, the name entered here is used to access that service. The account is usually the nobody username.
Make sure that the guest account is a valid user. (The default of nobody should already be set up to work.) With an invalid user as the guest account, the IPC$ connection that lists the shared resources fails.
■ Username map — Identifies the file that contains a mapping of client usernames to the Samba server. By default, this file is /etc/samba/smbusers.
■ Hosts allow — Contains a list of one or more hosts that are allowed to use your computer's Samba services. By default, users from any computer can connect to the Samba server (of course, they still have to provide valid usernames and passwords). Generally, you use this option to allow connections from specific computers (such as 10.0.0.1) or computer networks (such as 10.0.0.) that are excluded by the Hosts deny option.
■ Hosts deny — Contains a list of one or more hosts from which users are not allowed to use your computer's Samba services. You can make this option fairly restrictive, and then add the specific hosts and networks you want to use the Samba server. By default, no hosts are denied.
The following options help define how logging is done on your Samba server:
■ Log level — Sets the debug level used when logging Samba activity. Raise the level from the default (0) to log more Samba activity.
■ Log file — Defines the location of the Samba smb log file. By default, Samba log files are contained in /var/log/samba (with filenames log.nmbd, log.smbd, and smb.log). In this option, the %m is replaced by smb to set the smb log file as /var/log/samba/smb.log.
■ Max log size —Sets the maximum amount of space, in kilobytes, that the log files can consume. By default, the value is set to 0 (no limit).
Was this article helpful?