Creating the Share

The second step in configuring a Samba server is configuring the share. For this purpose, Samba works with a configuration file with the name /etc/samba/smb.conf. In this configuration file, almost the complete Samba server is configured, including general options as well as shares. Listing 15-3 shows an example of the complete configuration file as it is used after a default installation of the Samba server on SUSE Linux Enterprise Server. I won't discuss it line by line here; the purpose is that you get a picture of how it is organized.

Listing 15-3. Example of the smb.conf Configuration File

# smb.conf is the main Samba configuration file. You find a full commented

# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the

# samba-doc package is installed.

workgroup = TUX-NET

printing = cups printcap name = cups printcap cache time = 750

cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P:

[homes]

comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [profiles]

comment = Network Profiles Service path = %H

read only = No store dos attributes = Yes create mask = 0600

directory mask = 0700

[users]

comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/

[groups]

comment = All groups path = /home/groups read only = No inherit acls = Yes [printers]

comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No

comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775

The smb.conf configuration file is separated into different sections. The name of the first section is [global], which is where some settings relate to how the Samba server works overall. After that, some specific shares are created. First, the share [homes] gives access to user home directories. Then [profiles] and [users] are required to work with Windows profiles. Next, a share is created to give access to group data directories in /home/groups; note that by default these directories do not exist. Finally, the shares [printers] and [print$] are used to automatically share all printers on the network. With the installation of the Samba software on SUSE Linux Enterprise Server, you get a configuration that gives a working Samba server immediately; just start it with the rcsmb start command and access it, and you will see that it gives you access to your home directory (if your Linux user account has a home directory) and shared printers. The only thing missing is a configured user environment. Without that, Samba won't recognize the credentials of Windows users trying to access it.

Note Don't forget to open your firewall for Samba. You'll find more about how to do that in Chapter 30.

In the smb.conf configuration file in Listing 15-3, you first see the section [global]. In this section, settings are configured that apply to the complete Samba server. Some settings can be configured here only. For example, the definition of the workgroup in workgroup = TUX-NET is a setting that applies to everything that is offered by your Samba server. Apart from the global section, some shares are defined as well. Of these, the homes share gives access to the home directories of users, the profiles share allows you to work with Windows profiles that are used to store configuration information of the users' working environment on the network, and the printers and print$ shares are created to configure the printing environment completely. The users and groups shares offer nice examples of how a generic share can be configured that gives access to directories that need to be shared.

Just by following the previous example, you can create a Samba share that works pretty well to share your shared directory. In Listing 15-4, you can see an example of such a share where some additional features are used.

Listing 15-4. Example ofa Share with Some Additional Security Features Configured [sales]

comment = Share for the sales department path = /srv/samba/sales valid users = @ sales force user = dana force group = accounting read only = no inherit acls = yes veto files = *.mp3

create mask = 660

The Listing 15-4 example uses some parameters that are often used on shared directories. Table 15-4 gives an overview of these parameters.

Table 15-4. Useful Parameters for Shared Folders

Parameter

Meaning comment A user querying the server for an available share will see the text that is used as the value for this parameter. Use it to explain what the share is used for.

path This option indicates the path of the local Linux directory that is shared. In the example, the path is in /srv/samba/. It is a good idea to put all the directories shared by the Samba server under one main directory to get a better overview of what exactly is shared on your server. The /srv directory is just meant for that, so you can use it for that purpose.

valid users Earlier in this chapter you read that Linux permissions must be configured for the file system on which you keep your shared directory. That doesn't mean that just local permission is enough security for your share. The valid users parameter is an example of some additional security. By using this parameter, you can specify a comma-separated list of users who are allowed access to the share. By default this parameter is empty, which allows anyone to log in. It is a good idea to use this parameter, followed by the name of a group, as you can see in the example to allow access only to users who are members of the group specified. If you work with group names, make sure the group name is preceded by an @ sign to indicate that it is a group. If, in addition to specifying the names of users who you do want to allow access, you want to make sure that some users absolutely don't have access, you can use the rather paranoid option invalid users to make sure some users are excluded.

force user This parameter can be useful to force that all files created in this directory get the user specified (dana in the example in Listing 15-4) as its Linux owner. Don't use this option if you need to see which user created which file in the share.

force group This option is the equivalent of using the SGID Linux permission on the directory that is shared; it ensures that the group that is specified becomes the owner of all files that are created in the share. Using either force user or force group makes sharing files between users in a group really easy.

read only Without this option, users can't write to the share. By specifying read only = no, you actually say writeable = yes and thus allow users to write files to the share.

inherit acls If ACLs are used on the Linux file system, this option makes sure they are applied to everything created under the directory with the ACL. Don't use this option if no ACLs are used on the Linux file system.

Parameter Meaning veto files A veto file is a file that is always denied creation on the share. By using veto files, you can ensure that certain files just cannot be created. Like in the example, you should use patterns to indicate what files you don't want to be created. Alternatively, you can specify the names of the files you don't want to exist. For example, use veto files /*.bat/*.exe/*.mp3/ to prevent executable files as well as MP3 files to be stored on your server. Note that in this example, slashes separate the different patterns from each other.

create mask This useful parameter specifies the default permission mode for files that are created in this directory. This parameter is not used to set default permissions to new directories; for that purpose, the parameter directory mask is used.

directory mask Use this parameter to set default permissions for new directories.

Was this article helpful?

0 0

Post a comment