Setting Global Samba Options

Samba's main configuration file is called smb.conf, and it's stored in the /etc/samba directory on all major Linux distributions. Some older or obscure distributions may store this file in another directory, such as /etc/samba.d or /etc/smb. The smb.conf file is broken down into sections, each of which is led by a name in square brackets, such as [global] or [home]. Subsequent lines, up until the next section name, belong to the specified section. Three types of section exist:

The Global Section The first section in most smb.conf files is the [global] section. This section defines global defaults and sets options that affect the overall performance of the server, such as its NetBIOS name.

File Shares Samba's equivalent to an NFS export is known as a share. File shares enable Samba to deliver files to clients and to accept files from clients.

Printer Shares Printer shares are very similar to file shares in many respects, but Samba sends the files that a printer share accepts into Linux's local print queue, so they end up being printed.

Within each section, options are assigned using lines of the following form:

option = value

Options and most values are case-insensitive. (Some values are Linux pathnames or other inherently case-sensitive strings, though.) Boolean values of 1, True, and Yes are equivalent, as are 0, False, and No. Hash marks (#) and semicolons (;) are both comment characters; lines beginning with these characters are ignored.

The [global] section is particularly important to Samba's functioning. In fact, your Samba server probably won't be useable by your Windows clients until you've made one or two changes to this section. Table 24.4 summarizes some of the features you might want to change in this section. As with similar tables throughout this chapter, Table 24.4 is far from complete. You may need to consult the Samba documentation or a book on the server to learn about additional options if you have problems.

Table 24.4: Common Global Samba Options

Option

Value

Meaning

workgroup

String

NetBIOS workgroup or NetBIOS domain name. Often, but not always, related to the network's TCP/IP domain name.

netbios name

String

Computer's NetBIOS name. Often, but not always, the same as the computer's TCP/IP hostname without the domain portion. This is also the default value.

printing

String

Name of the printing system, such as LPRng or CUPS. Samba adjusts its printing command to suit the printing system.

printcap name

Filename

Name of the /etc/printcap file or a stand-in for it. This option is necessary for the [printers] share to operate correctly.

load printers

Boolean

Whether or not to load printers defined in the /etc/printcap file or its equivalent when a [printers] share is present. The default value is Yes.

hosts allow and hosts deny

Hostnames or IP addresses

Host-based access controls, similar to those provided by TCP Wrappers or xinetd.

Option

Value

Meaning

security

user, share, server, or

Specifies how Samba

domain

authenticates local

users—by using

usernames and passwords

(user), by mimicking the

method used by Windows

9x/Me (share) on a

share-by-share basis, by

sending an authentication

request to another

computer (server), or by

deferring to a domain

controller (domain).

encrypt passwords

Boolean

Specifies whether or not to

require encrypted

passwords.

smb passwd file

Filename

Encrypted password file.

Two of the options in Table 24.4 are very important for most systems. The first of these options is workgroup. SMB/CIFS networks are built atop NetBIOS workgroups or domains. If your Samba server's workgroup name isn't set correctly, your Windows clients won't be able to find it—at least, not easily. If you don't know what your workgroup name is, try typing the following command (note the trailing dash in the command):

querying _MSBROWSE_ on 192.168.1.255

Looking up status of 192.168.1.1

SPEAKER <00> - M <ACTIVE> SPEAKER <03> - M <ACTIVE> SPEAKER <20> - M <ACTIVE>

.._MSBROWSE_. <01 > - <GR0UP> M <ACTIVE>

RINGWORLD <00> - <GR0UP> M <ACTIVE> RINGWORLD <1b>- M <ACTIVE> RINGWORLD <1c> - <GR0UP> M <ACTIVE> RINGWORLD <1d>- M <ACTIVE>

RINGWORLD <1e> - <GROUP> M <ACTIVE>

The output includes information on both the master browser computer (which manages lists of computers for browsing with tools such as LinNeighborhood, as shown in Figure 24.3) and on the workgroup. In this case, SPEAKER is the master browser for the RINGWORLD workgroup. Compare this information to the information in Figure 24.3; it also shows the SPEAKER computer and the RINGWORLD workgroup.

The second option you'll most likely have to adjust is the encrypt passwords option. All versions of Windows since Windows 95 OEM Service Release 2 (0SR2) and Windows NT 4.0 Service Pack 3 use encrypted passwords by default. If encrypt passwords is set to No, Samba uses the Linux username and password database. In this case, recent Windows clients won't connect to Samba unless the Samba or Windows client configuration is changed. When encrypt passwords is set to Yes, Samba requires its own password database, which is independent of the standard Linux password database. In this case, recent Windows clients will connect to the Samba server. In practice, it's usually easiest and safest to use encrypted passwords. To do so, follow these steps:

1. If necessary, set encrypt passwords to Yes.

2. As root, type smbpasswd -a username at a command prompt, where username is a username for a user who should have access to the Samba server. The program will prompt for a new password, and then it will prompt you to type it again. The first time you issue this command, it will complain that the passdb database doesn't exist. You can ignore this complaint.

3. Repeat Step 2 for all the users who should have Samba access.

If you have many users, the process of adding them all to Samba's encrypted password database can be tedious, but it's necessary. Many distributions include a script called mksmbpasswd.sh that can create a Samba password file from a Linux /etc/passwd file. Unfortunately, Linux and Samba use different methods of encrypting passwords, so it's not possible to convert actual passwords. The resulting Samba password file includes usernames but no passwords. As a result, mksmbpasswd.sh saves little or no effort. If you can run with unencrypted passwords for a time, though, you could use this script and use the update encrypted = Yes option. Samba will then add passwords to its encrypted database as users log on using unencrypted passwords. (You must run with encrypt passwords = Yes for this process to work.) This practice might be useful if you were migrating a network from unencrypted to encrypted passwords, but for most existing installations, it's not an option.

Tip Although Samba is most commonly used to deliver files to Windows clients, it can serve files to other platforms, including Linux. Using smbmount, a Linux client can mount a Samba share. In most cases, NFS is preferred for Linux-to-Linux file sharing, but on occasion Samba is better. For instance, Samba's support for passwords and individual user accounts gives it an edge if you need to exercise this sort of user-by-user access control.

Samba and Windows XP

Unfortunately, Wndows XP has changed the way it handles encrypted passwords, and so is incompatible with Samba's encrypted password system as delivered. To fix the problem, you can use REGEDIT on Windows XP. Change the following entry's value from 3 to 2:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\lmcompatibilitylevel

Samba 3.0, when released, should not need this change to the Windows XP Registry. If you want to use a Windows XP system with a domain controlled by Samba, you may also need to change another Windows Registry setting. Most Samba distributions ship with a file that will do the job: WinXP_SignOrSeal.reg, usually stored in /usr/share/doc/samba-doc-vers/on/docs/Registry or a similar directory, where version is the Samba version number. Copy this file to the Wndows XP system and double-click it. This should launch REGEDIT, which will make the necessary changes.

0 0

Post a comment