ACC SHELL
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 27. Samba</title><link rel="stylesheet" href="susebooks.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Documentation"><link rel="up" href="part.reference.services.html" title="Part V. Services"><link rel="prev" href="cha.nfs.html" title="Chapter 26. Sharing File Systems with NFS"><link rel="next" href="cha.apache2.html" title="Chapter 28. The Apache HTTP Server"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.opensuse.reference.html">Reference</a><span class="breadcrumbs-sep"> > </span><a href="part.reference.services.html">Services</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 26. Sharing File Systems with NFS" href="cha.nfs.html"><span>◀</span></a> <a accesskey="n" title="Chapter 28. The Apache HTTP Server" href="cha.apache2.html"><span>▶</span></a></strong></p></div></td></tr></table></div><div class="chapter" title="Chapter 27. Samba"><div class="titlepage"><div><div><h2 class="title"><a name="cha.samba"></a>Chapter 27. Samba<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#cha.samba">¶</a></span></h2></div></div></div><div class="toc"><p><b>Contents</b></p><dl><dt><span class="sect1"><a href="cha.samba.html#sec.samba.term">27.1. Terminology</a></span></dt><dt><span class="sect1"><a href="cha.samba.html#sec.samba.install">27.2. Installing a Samba Server</a></span></dt><dt><span class="sect1"><a href="cha.samba.html#sec.samba.serv.start">27.3. Starting and Stopping Samba</a></span></dt><dt><span class="sect1"><a href="cha.samba.html#sec.samba.serv.inst">27.4. Configuring a Samba Server</a></span></dt><dt><span class="sect1"><a href="cha.samba.html#sec.samba.client.inst">27.5. Configuring Clients</a></span></dt><dt><span class="sect1"><a href="cha.samba.html#sec.samba.anmeld.serv">27.6. Samba as Login Server</a></span></dt><dt><span class="sect1"><a href="cha.samba.html#sec.samba.info">27.7. For More Information</a></span></dt></dl></div><a class="indexterm" name="idx.Samba"></a><a class="indexterm" name="id491986"></a><a class="indexterm" name="id491995"></a><a class="indexterm" name="id492003"></a><a class="indexterm" name="id492012"></a><a class="indexterm" name="id492020"></a><div class="abstract" title="Abstract"><p class="title"><b>Abstract</b></p><p>
Using Samba, a Unix machine can be configured as a file and print server
for Mac OS X, Windows, and OS/2 machines. Samba has developed into a
fully-fledged and rather complex product. Configure Samba with YaST,
SWAT (a Web interface), or by editing the configuration file manually.
</p></div><div class="sect1" title="27.1. Terminology"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.samba.term"></a>27.1. Terminology<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.term">¶</a></span></h2></div></div></div><p>
The following are some terms used in Samba documentation and in the
YaST module.
</p><div class="variablelist"><dl><dt><span class="term">SMB protocol</span></dt><dd><p>
<a class="indexterm" name="id492068"></a> <a class="indexterm" name="id492079"></a> <a class="indexterm" name="id492090"></a> Samba uses the SMB (server message block) protocol that
is based on the <span class="productname">NetBIOS</span> services. Microsoft
released the protocol so other software manufacturers could establish
connections to a Microsoft domain network. With Samba, the SMB
protocol works on top of the TCP/IP protocol, so the TCP/IP protocol
must be installed on all clients. <a class="indexterm" name="id492104"></a>
</p></dd><dt><span class="term">CIFS protocol</span></dt><dd><p>
<a class="indexterm" name="id492130"></a> <a class="indexterm" name="id492141"></a> CIFS (common Internet file system) protocol is another
protocol supported by Samba. CIFS defines a standard remote file
system access protocol for use over the network, enabling groups of
users to work together and share documents across the network.
</p></dd><dt><span class="term">NetBIOS<a class="indexterm" name="id492163"></a></span></dt><dd><p>
<a class="indexterm" name="id492178"></a> NetBIOS is a software interface (API) designed for
communication between machines providing a name service. It enables
machines connected to the network to reserve names for themselves.
After reservation, these machines can be addressed by name. There is
no central process that checks names. Any machine on the network can
reserve as many names as it wants as long as the names are not already
in use. The NetBIOS interface can be implemented for different network
architectures. An implementation that works relatively closely with
network hardware is called <span class="productname">NetBEUI</span>, but
this is often referred to as <span class="productname">NetBIOS</span>.
Network protocols implemented with NetBIOS are IPX from Novell
(NetBIOS via TCP/IP) and TCP/IP.
</p><p>
The NetBIOS names sent via TCP/IP have nothing in common with the
names used in <code class="filename">/etc/hosts</code> or those defined by DNS.
NetBIOS uses its own, completely independent naming convention.
However, it is recommended to use names that correspond to DNS
hostnames to make administration easier or use DNS natively. This is
the default used by Samba.
</p></dd><dt><span class="term">Samba server<a class="indexterm" name="id492218"></a></span></dt><dd><p>
Samba server provides SMB/CIFS services and NetBIOS over IP naming
services to clients. For Linux, there are three daemons for Samba
server: smnd for SMB/CIFS services, nmbd for naming services, and
winbind for authentication.
</p></dd><dt><span class="term">Samba client<a class="indexterm" name="idx.Samba_clients"></a></span></dt><dd><p>
The Samba client is a system that uses Samba services from a Samba
server over the SMB protocol. All common operating systems, such as
Mac OS X, Windows, and OS/2, support the SMB protocol. The TCP/IP
protocol must be installed on all computers. Samba provides a client
for the different UNIX flavors. For Linux, there is a kernel module
for SMB that allows the integration of SMB resources on the Linux
system level. You do not need to run any daemon for the Samba client.
</p></dd><dt><span class="term">Shares</span></dt><dd><p>
<a class="indexterm" name="id492283"></a> SMB servers provide resources to the clients by means of
shares. Shares are printers and directories with their subdirectories
on the server. It is exported by means of a name and can be accessed
by its name. The share name can be set to any name—it does not
have to be the name of the export directory. A printer is also
assigned a name. Clients can access the printer by its name.
<a class="indexterm" name="id492298"></a> <a class="indexterm" name="id492309"></a>
<a class="indexterm" name="id492320"></a>
</p></dd><dt><span class="term">DC</span></dt><dd><p>
<a class="indexterm" name="id492342"></a> A domain controller (DC) is a server that handles
accounts in domain. For data replication, additional domain
controllers are available in one domain.
</p></dd></dl></div></div><div class="sect1" title="27.2. Installing a Samba Server"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.samba.install"></a>27.2. Installing a Samba Server<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.install">¶</a></span></h2></div></div></div><p>
To install a Samba server, start YaST and select
<span class="guimenu">Software</span>+<span class="guimenu">Software
Management</span>. Choose
<span class="guimenu">Filter</span>+<span class="guimenu">Patterns</span> and select <span class="guimenu">File
Server</span>. Confirm the installation of the required packages to
finish the installation process.
</p></div><div class="sect1" title="27.3. Starting and Stopping Samba"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.samba.serv.start"></a>27.3. Starting and Stopping Samba<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.serv.start">¶</a></span></h2></div></div></div><p>
You can start or stop the Samba server automatically (during boot) or
manually. Starting and stopping policy is a part of the YaST Samba
server configuration described in
<a class="xref" href="cha.samba.html#sec.samba.yast2.conf" title="27.4.1. Configuring a Samba Server with YaST">Section 27.4.1, “Configuring a Samba Server with YaST”</a>.
</p><p>
To stop or start running Samba services with YaST, use <span class="guimenu">System</span>+<span class="guimenu">System Services (Runlevel)</span> and check winbind, smb, and nmb. From a command line, stop
services required for Samba with <span class="command"><strong>rcsmb stop && rcnmb
stop</strong></span> and start them with <span class="command"><strong>rcnmb start && rcsmb
start</strong></span>; rcsmb cares about winbind if needed.
</p><a class="indexterm" name="id492445"></a><a class="indexterm" name="id492454"></a></div><div class="sect1" title="27.4. Configuring a Samba Server"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.samba.serv.inst"></a>27.4. Configuring a Samba Server<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.serv.inst">¶</a></span></h2></div></div></div><a class="indexterm" name="id492473"></a><a class="indexterm" name="id492481"></a><a class="indexterm" name="id492490"></a><a class="indexterm" name="id492498"></a><p>
A Samba server in openSUSE® can be configured in two different
ways: with YaST or manually. Manual configuration offers a higher level
of detail, but lacks the convenience of the YaST GUI.
</p><div class="sect2" title="27.4.1. Configuring a Samba Server with YaST"><div class="titlepage"><div><div><h3 class="title"><a name="sec.samba.yast2.conf"></a>27.4.1. Configuring a Samba Server with YaST<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.yast2.conf">¶</a></span></h3></div></div></div><p>
To configure a Samba server, start YaST and select
<span class="guimenu">Network Services</span>+<span class="guimenu">Samba
Server</span>.
</p><div class="sect3" title="27.4.1.1. Initial Samba Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="sec.samba.yast2.conf.inst"></a>27.4.1.1. Initial Samba Configuration<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.yast2.conf.inst">¶</a></span></h4></div></div></div><p>
When starting the module for the first time, the <span class="guimenu">Samba
Installation</span> dialog starts, prompting you to make just a few
basic decisions concerning administration of the server. At the end of
the configuration it prompts for the Samba administrator password
(<span class="guimenu">Samba Root Password</span>. For later starts, the
<span class="guimenu">Samba Server Configuration</span> dialog appears.
</p><p>
The <span class="guimenu">Samba Installation</span> dialog consists of two steps
and optional detailed settings:
</p><div class="variablelist"><dl><dt><span class="term">Workgroup or Domain Name</span></dt><dd><p>
Select an existing name from <span class="guimenu">Workgroup or Domain
Name</span> or enter a new one and click <span class="guimenu">Next</span>.
</p></dd><dt><span class="term">Samba Server Type</span></dt><dd><p>
In the next step, specify whether your server should act as CD (PDC)
and click <span class="guimenu">Next</span>.
</p></dd><dt><span class="term">Start-Up</span></dt><dd><p>
Select whether you want to start Samba <span class="guimenu">During
Boot</span> or <span class="guimenu">Manually</span> and click
<span class="guimenu">OK</span>. Then in the final popup box, set the
<span class="guimenu">Samba root Password</span>.
</p></dd></dl></div><p>
You can change all settings later in the <span class="guimenu">Samba
Configuration</span> dialog with the <span class="guimenu">Start-Up</span>,
<span class="guimenu">Shares</span>, <span class="guimenu">Identity</span>,
<span class="guimenu">Trusted Domains</span>, and <span class="guimenu">LDAP
Settings</span> tabs.
</p></div><div class="sect3" title="27.4.1.2. Advanced Samba Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="sec.samba.yast2.conf.adv"></a>27.4.1.2. Advanced Samba Configuration<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.yast2.conf.adv">¶</a></span></h4></div></div></div><p>
During the first start of the Samba server module the <span class="guimenu">Samba
Configuration</span> dialog appears directly after the two initial
steps described in <a class="xref" href="cha.samba.html#sec.samba.yast2.conf.inst" title="27.4.1.1. Initial Samba Configuration">Section 27.4.1.1, “Initial Samba Configuration”</a>. Use it
to adjust your Samba server configuration.
</p><p>
After editing your configuration, click <span class="guimenu">OK</span> to save
your settings.
</p><div class="sect4" title="27.4.1.2.1. Starting the Server"><div class="titlepage"><div><div><h5 class="title"><a name="id492713"></a>27.4.1.2.1. Starting the Server<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#id492713">¶</a></span></h5></div></div></div><p>
In the <span class="guimenu">Start Up</span> tab, configure the start of the
Samba server. To start the service every time your system boots,
select <span class="guimenu">During Boot</span>. To activate manual start,
choose <span class="guimenu">Manually</span>. More information about starting a
Samba server is provided in <a class="xref" href="cha.samba.html#sec.samba.serv.start" title="27.3. Starting and Stopping Samba">Section 27.3, “Starting and Stopping Samba”</a>.
</p><p>
In this tab, you can also open ports in your firewall. To do so,
select <span class="guimenu">Open Port in Firewall</span>. If you have multiple
network interfaces, select the network interface for Samba services by
clicking <span class="guimenu">Firewall Details</span>, selecting the
interfaces, and clicking <span class="guimenu">OK</span>.
</p></div><div class="sect4" title="27.4.1.2.2. Shares"><div class="titlepage"><div><div><h5 class="title"><a name="id492758"></a>27.4.1.2.2. Shares<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#id492758">¶</a></span></h5></div></div></div><p>
In the <span class="guimenu">Shares</span> tab, determine the Samba shares to
activate. There are some predefined shares, like homes and printers.
Use <span class="guimenu">Toggle Status</span> to switch between
<span class="guimenu">Active</span> and <span class="guimenu">Inactive</span>. Click
<span class="guimenu">Add</span> to add new shares and <span class="guimenu">Delete</span>
to delete the selected share.
</p><p>
<span class="guimenu">Allow Users to Share Their Directories</span> enables
members of the group in <span class="guimenu">Permitted Group</span> to share
directories they own with other users. For example,
<code class="systemitem">users</code> for a local scope or
<code class="systemitem">DOMAIN\Users</code> for a domain scope. The user
also must make sure that the file system permissions allow access.
With <span class="guimenu">Maximum Number of Shares</span>, limit the total
amount of shares that may be created. To permit access to user shares
without authentication, enable <span class="guimenu">Allow Guest Access</span>.
</p></div><div class="sect4" title="27.4.1.2.3. Identity"><div class="titlepage"><div><div><h5 class="title"><a name="id492822"></a>27.4.1.2.3. Identity<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#id492822">¶</a></span></h5></div></div></div><p>
In the <span class="guimenu">Identity</span> tab, you can determine the domain
with which the host is associated (<span class="guimenu">Base Settings</span>)
and whether to use an alternative hostname in the network
(<span class="guimenu">NetBIOS Hostname</span>).
It is also possible to use Microsoft Windows Internet Name Service
(WINS) for name resolution. In this case, activate <span class="guimenu">Use WINS
for Hostname Resolution</span> and decide whether to
<span class="guimenu">Retrieve WINS server via DHCP</span>. To set expert global
settings or set a user authentication source,
click <span class="guimenu">Advanced Settings</span>.
</p></div><div class="sect4" title="27.4.1.2.4. Trusted Domains"><div class="titlepage"><div><div><h5 class="title"><a name="id492858"></a>27.4.1.2.4. Trusted Domains<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#id492858">¶</a></span></h5></div></div></div><p>
To enable users from other domains to access your domain, make the
appropriate settings in the <span class="guimenu">Trusted Domains</span> tab. To
add a new domain, click <span class="guimenu">Add</span>. To remove the selected
domain, click <span class="guimenu">Delete</span>.
</p></div><div class="sect4" title="27.4.1.2.5. LDAP Settings"><div class="titlepage"><div><div><h5 class="title"><a name="id492882"></a>27.4.1.2.5. LDAP Settings<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#id492882">¶</a></span></h5></div></div></div><p>
In the tab <span class="guimenu">LDAP Settings</span>, you can determine the
LDAP server to use for authentication. To test the connection to your
LDAP server, click <span class="guimenu">Test Connection</span>. To set expert
LDAP settings or use default values, click <span class="guimenu">Advanced
Settings</span>.
</p><p>
For more information about LDAP configuration, see
Chapter <i>LDAP—A Directory Service</i> (↑Security Guide).
</p></div></div></div><div class="sect2" title="27.4.2. Web Administration with SWAT"><div class="titlepage"><div><div><h3 class="title"><a name="sec.samba.serv.inst.swat"></a>27.4.2. Web Administration with SWAT<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.serv.inst.swat">¶</a></span></h3></div></div></div><p>
<a class="indexterm" name="id492932"></a> <a class="indexterm" name="id492943"></a> <a class="indexterm" name="id492954"></a> An alternative tool for Samba server administration is SWAT
(Samba Web Administration Tool). It provides a simple Web interface with
which to configure the Samba server. To use SWAT, open
<a class="ulink" href="http://localhost:901" target="_top">http://localhost:901</a> in a Web browser and log in as user
<code class="systemitem">root</code>. If you do not have a
special Samba root account, use the system
<code class="systemitem">root</code> account.
</p><div class="note"><table border="0" cellpadding="3" cellspacing="0" width="100%" summary="Note: Activating SWAT"><tr class="head"><td width="32"><img alt="[Note]" src="admon/note.png"></td><th align="left">Activating SWAT</th></tr><tr><td colspan="2" align="left" valign="top"><p>
After Samba server installation, SWAT is not activated. To activate it,
open <span class="guimenu">Network Services</span>+<span class="guimenu">Network
Services (xinetd)</span> in YaST, enable the network
services configuration, select <span class="guimenu">swat</span> from the table,
and click <span class="guimenu">Toggle Status (On or Off)</span>.
</p></td></tr></table></div></div><div class="sect2" title="27.4.3. Configuring the Server Manually"><div class="titlepage"><div><div><h3 class="title"><a name="sec.samba.serv.inst.manual"></a>27.4.3. Configuring the Server Manually<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.serv.inst.manual">¶</a></span></h3></div></div></div><p>
<a class="indexterm" name="id493031"></a> <a class="indexterm" name="id493042"></a> <a class="indexterm" name="id493053"></a> If you intend to use Samba as a server, install
<code class="systemitem">samba</code>. The main
configuration file of Samba is <code class="filename">/etc/samba/smb.conf</code>.
This file can be divided into two logical parts. The
<code class="literal">[global]</code> section contains the central and global
settings. The <code class="literal">[share]</code> sections contain the individual
file and printer shares. By means of this approach, details regarding
the shares can be set differently or globally in the
<code class="literal">[global]</code> section, which enhances the structural
transparency of the configuration file.
</p><div class="sect3" title="27.4.3.1. The global Section"><div class="titlepage"><div><div><h4 class="title"><a name="sec.samba.smb.conf.Erlaeuterung"></a>27.4.3.1. The global Section<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.smb.conf.Erlaeuterung">¶</a></span></h4></div></div></div><p>
The following parameters of the <code class="literal">[global]</code> section
need some adjustment to match the requirements of your network setup so
other machines can access your Samba server via SMB in a Windows
environment.
</p><div class="variablelist"><dl><dt><span class="term"><code class="literal">workgroup = TUX-NET</code>
</span></dt><dd><p>
This line assigns the Samba server to a workgroup. Replace
<code class="literal">TUX-NET</code> with an appropriate workgroup of your
networking environment. Your Samba server appears under its DNS name
unless this name has been assigned to some other machine in the
network. If the DNS name is not available, set the server name using
<code class="literal">netbiosname=<em class="replaceable"><code>MYNAME</code></em></code>.
For more details about this parameter, see the
<code class="systemitem">smb.conf</code> man page.
</p></dd><dt><span class="term"><code class="literal">os level = 20</code>
</span></dt><dd><p>
This parameter triggers whether your Samba server tries to become
LMB (local master browser) for its workgroup. With the Samba 3
release series, it is seldom necessary to override the default
setting (<code class="literal">20</code>). Choose a very low value such as
<code class="literal">2</code> to spare the existing Windows network from any
disturbances caused by a misconfigured Samba server. More
information about this important topic can be found in the Network
Browsing chapter of the Samba 3 Howto; for more information on the
Samba 3 Howto, see <a class="xref" href="cha.samba.html#sec.samba.info" title="27.7. For More Information">Section 27.7, “For More Information”</a>.
</p><p>
If no other SMB server is present in your network (such as a Windows
2000 server) and you want the Samba server to keep a list of all
systems present in the local environment, set the <code class="literal">os
level</code> to a higher value (for example,
<code class="literal">65</code>). Your Samba server is then chosen as LMB for
your local network.
</p><p>
When changing this setting, consider carefully how this could affect
an existing Windows network environment. First test the changes in
an isolated network or at a noncritical time of day.
</p></dd><dt><span class="term"><code class="literal">wins support</code> and <code class="literal">wins server</code>
</span></dt><dd><p>
To integrate your Samba server into an existing Windows network with
an active WINS server, enable the <code class="option">wins server</code>
option and set its value to the IP address of that WINS server.
</p><p>
If your Windows machines are connected to separate subnets and need
to still be aware of each other, you need to set up a WINS server.
To turn a Samba server into such a WINS server, set the option
<code class="literal">wins support = Yes</code>. Make sure that only one Samba
server of the network has this setting enabled. The options
<code class="literal">wins server</code> and <code class="literal">wins support</code>
must never be enabled at the same time in your
<code class="filename">smb.conf</code> file.
</p></dd></dl></div></div><div class="sect3" title="27.4.3.2. Shares"><div class="titlepage"><div><div><h4 class="title"><a name="sec.samba.smb.conf.shares"></a>27.4.3.2. Shares<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.smb.conf.shares">¶</a></span></h4></div></div></div><a class="indexterm" name="id493258"></a><p>
The following examples illustrate how a CD-ROM drive and the user
directories (<code class="literal">homes</code>) are made available to the SMB
clients.
</p><div class="variablelist"><dl><dt><span class="term">[cdrom]</span></dt><dd><p>
To avoid having the CD-ROM drive accidentally made available, these
lines are deactivated with comment marks (semicolons in this case).
Remove the semicolons in the first column to share the CD-ROM drive
with Samba.
</p><div class="example"><a name="dat.cd.rom"></a><p class="title"><b>Example 27.1. A CD-ROM Share (deactivated)</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#dat.cd.rom">¶</a></span></p><div class="example-contents"><pre class="screen">;[cdrom]
; comment = Linux CD-ROM
; path = /media/cdrom
; locking = No</pre></div></div><br class="example-break"><div class="variablelist"><dl><dt><span class="term"><code class="option">[cdrom]</code> and <code class="option">comment</code>
</span></dt><dd><p>
The <code class="literal">[cdrom]</code> section entry is the name of the
share that can be seen by all SMB clients on the network. An
additional <code class="literal">comment</code> can be added to further
describe the share.
</p></dd><dt><span class="term"><code class="option">path = /media/cdrom</code>
</span></dt><dd><p>
<code class="option">path</code> exports the directory
<code class="filename">/media/cdrom</code>.
</p></dd></dl></div><p>
By means of a very restrictive default configuration, this kind of
share is only made available to the users present on this system. If
this share should be made available to everybody, add a line
<code class="literal">guest ok = yes</code> to the configuration. This setting
gives read permissions to anyone on the network. It is recommended
to handle this parameter with great care. This applies even more to
the use of this parameter in the <code class="literal">[global]</code>
section.
</p></dd><dt><span class="term"><code class="option">[homes]</code>
</span></dt><dd><p>
The <code class="option">[homes]</code> share is of special importance here. If
the user has a valid account and password for the Linux file server
and his own home directory, he can be connected to it.
</p><div class="example"><a name="dat.homes.frei"></a><p class="title"><b>Example 27.2. [homes] Share</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#dat.homes.frei">¶</a></span></p><div class="example-contents"><pre class="screen">[homes]
comment = Home Directories
valid users = %S
browseable = No
read only = No
create mask = 0640
directory mask = 0750</pre></div></div><br class="example-break"><div class="variablelist"><dl><dt><span class="term">[homes]</span></dt><dd><p>
As long as there is no other share using the share name of the
user connecting to the SMB server, a share is dynamically
generated using the <code class="literal">[homes]</code> share directives.
The resulting name of the share is the username.
</p></dd><dt><span class="term"><code class="option">valid users = %S</code>
</span></dt><dd><p>
<code class="literal">%S</code> is replaced with the concrete name of the
share as soon as a connection has been successfully established.
For a <code class="option">[homes]</code> share, this is always the
username. As a consequence, access rights to a user's share are
restricted exclusively to that user.
</p></dd><dt><span class="term"><code class="option">browseable = No</code>
</span></dt><dd><p>
This setting makes the share invisible in the network
environment.
</p></dd><dt><span class="term"><code class="option">read only = No</code>
</span></dt><dd><p>
By default, Samba prohibits write access to any exported share by
means of the <code class="literal">read only = Yes</code> parameter. To
make a share writable, set the value <code class="literal">read only =
No</code>, which is synonymous with <code class="literal">writable =
Yes</code>.
</p></dd><dt><span class="term"><code class="option">create mask = 0640</code>
</span></dt><dd><p>
Systems that are not based on MS Windows NT do not understand the
concept of UNIX permissions, so they cannot assign permissions
when creating a file. The parameter <code class="literal">create
mask</code> defines the access permissions assigned to newly
created files. This only applies to writable shares. In effect,
this setting means the owner has read and write permissions and
the members of the owner's primary group have read permissions.
<code class="option">valid users = %S</code> prevents read access even if
the group has read permissions. For the group to have read or
write access, deactivate the line <code class="option">valid users =
%S</code>.
</p></dd></dl></div></dd></dl></div></div><div class="sect3" title="27.4.3.3. Security Levels"><div class="titlepage"><div><div><h4 class="title"><a name="sec.samba.rechte"></a>27.4.3.3. Security Levels<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.rechte">¶</a></span></h4></div></div></div><a class="indexterm" name="idx.Samba_security"></a><a class="indexterm" name="id493580"></a><a class="indexterm" name="id493589"></a><p>
To improve security, each share access can be protected with a
password. SMB offers the following ways of checking permissions:
</p><div class="variablelist"><dl><dt><span class="term">Share Level Security (<code class="literal">security = share</code>)</span></dt><dd><p>
A password is firmly assigned to a share. Everyone who knows this
password has access to that share.
</p></dd><dt><span class="term">User Level Security (<code class="literal">security = user</code>)</span></dt><dd><p>
This variant introduces the concept of the user to SMB. Each user
must register with the server with his or her own password. After
registration, the server can grant access to individual exported
shares dependent on usernames.
</p></dd><dt><span class="term">Server Level Security (<code class="literal">security = server</code>)</span></dt><dd><p>
To its clients, Samba pretends to be working in user level mode.
However, it passes all password queries to another user level mode
server, which takes care of authentication. This setting requires
the additional <code class="option">password server</code> parameter.
</p></dd><dt><span class="term">ADS Level Security (<code class="literal">security = ADS</code>)</span></dt><dd><p>
In this mode, Samba will act as a domain member in an Active
Directory environment. To operate in this mode, the machine running
Samba needs Kerberos installed and configured. You must join the
machine using Samba to the ADS realm. This can be done using the
YaST <span class="guimenu">Windows Domain Membership</span> module.
</p></dd><dt><span class="term">Domain Level Security (<code class="literal">security = domain</code>)</span></dt><dd><p>
This mode will only work correctly if the machine has been joined
into a Windows NT Domain. Samba will try to validate username and
password by passing it to a Windows NT Primary or Backup Domain
Controller. The same way as a Windows NT Server would do. It expects
the encrypted passwords parameter to be set to
<code class="literal">yes</code>.
</p></dd></dl></div><p>
The selection of share, user, server, or domain level security applies
to the entire server. It is not possible to offer individual shares of
a server configuration with share level security and others with user
level security. However, you can run a separate Samba server for each
configured IP address on a system.
</p><p>
More information about this subject can be found in the Samba 3 HOWTO.
For multiple servers on one system, pay attention to the options
<code class="option">interfaces</code> and <code class="option">bind interfaces only</code>.
</p><a class="indexterm" name="id493740"></a></div></div></div><div class="sect1" title="27.5. Configuring Clients"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.samba.client.inst"></a>27.5. Configuring Clients<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.client.inst">¶</a></span></h2></div></div></div><a class="indexterm" name="id493759"></a><p>
Clients can only access the Samba server via TCP/IP. NetBEUI and NetBIOS
via IPX cannot be used with Samba.
</p><div class="sect2" title="27.5.1. Configuring a Samba Client with YaST"><div class="titlepage"><div><div><h3 class="title"><a name="sec.samba.client.inst.yast"></a>27.5.1. Configuring a Samba Client with YaST<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.client.inst.yast">¶</a></span></h3></div></div></div><a class="indexterm" name="id493782"></a><a class="indexterm" name="id493795"></a><a class="indexterm" name="id493803"></a><p>
Configure a Samba client to access resources (files or printers) on the
Samba or Windows server. Enter the NT or Active Directory domain or
workgroup in the dialog <span class="guimenu">Network Services</span>+<span class="guimenu">Windows Domain Membership</span>. If you activate
<span class="guimenu">Also Use SMB Information for Linux Authentication</span>, the
user authentication runs over the Samba, NT or Kerberos server.</p><p>Click <span class="guimenu">Expert Settings</span> for advanced configuration
options. For example, use the <span class="guimenu">Mount Server Directories</span>
table to enable mounting server home directory automatically with
authentication. This way users will be able to access their home directories
when hosted on CIFS. For details, see the the
<code class="systemitem">pam_mount</code> man page.</p><p>After completing all settings, confirm the dialog to finish the
configuration.
</p></div></div><div class="sect1" title="27.6. Samba as Login Server"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.samba.anmeld.serv"></a>27.6. Samba as Login Server<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.anmeld.serv">¶</a></span></h2></div></div></div><a class="indexterm" name="id493869"></a><p>
In networks where predominantly Windows clients are found, it is often
preferable that users may only register with a valid account and
password. In a Windows-based network, this task is handled by a primary
domain controller (PDC). You can use a Windows NT server configured as
PDC, but this task can also be done with a Samba server. The entries that
must be made in the <code class="literal">[global]</code> section of
<code class="filename">smb.conf</code> are shown in
<a class="xref" href="cha.samba.html#dat.samba.smb.conf.dom" title="Example 27.3. Global Section in smb.conf">Example 27.3, “Global Section in smb.conf”</a>.
</p><div class="example"><a name="dat.samba.smb.conf.dom"></a><p class="title"><b>Example 27.3. Global Section in smb.conf</b><span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#dat.samba.smb.conf.dom">¶</a></span></p><div class="example-contents"><pre class="screen">[global]
workgroup = TUX-NET
domain logons = Yes
domain master = Yes</pre></div></div><br class="example-break"><p>
If encrypted passwords are used for verification purposes the Samba
server must be able to handle these. The entry <code class="literal">encrypt passwords
= yes</code> in the <code class="literal">[global]</code> section enables this
(with Samba version 3, this is now the default). In addition, it is
necessary to prepare user accounts and passwords in an encryption format
that conforms with Windows. Do this with the command <span class="command"><strong>smbpasswd
<code class="option">-a name</code></strong></span>. Create the domain account for the
computers, required by the Windows domain concept, with the following
commands:
</p><pre class="screen">useradd hostname\$
smbpasswd -a -m hostname</pre><a class="indexterm" name="id493937"></a><p>
With the <span class="command"><strong>useradd</strong></span> command, a dollar sign is added. The
command <span class="command"><strong>smbpasswd</strong></span> inserts this automatically when the
parameter <code class="option">-m</code> is used. The commented configuration
example
(<code class="filename">/usr/share/doc/packages/samba/examples/smb.conf.SUSE</code>)
contains settings that automate this task.
</p><pre class="screen">add machine script = /usr/sbin/useradd -g nogroup -c "NT Machine Account" \
-s /bin/false %m\$
</pre><p>
To make sure that Samba can execute this script correctly, choose a Samba
user with the required administrator permissions and add it to the
<code class="systemitem">ntadmin</code> group. Then all users
belonging to this Linux group can be assigned <code class="literal">Domain
Admin</code> status with the command:
</p><pre class="screen">net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin</pre><p>
For more information about this topic, see Chapter 12 of the Samba 3
HOWTO, found in
<code class="filename">/usr/share/doc/packages/samba/Samba3-HOWTO.pdf</code>.
</p></div><div class="sect1" title="27.7. For More Information"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="sec.samba.info"></a>27.7. For More Information<span class="permalink"><a alt="Permalink" title="Copy Permalink" href="#sec.samba.info">¶</a></span></h2></div></div></div><p>
Detailed Samba information is available in the digital documentation.
Enter <span class="command"><strong>apropos</strong></span> <code class="option">samba</code> at the command
line to display some manual pages or just browse the
<code class="filename">/usr/share/doc/packages/samba</code> directory if Samba
documentation is installed for more online documentation and examples.
Find a commented example configuration
(<code class="filename">smb.conf.SUSE</code>) in the <code class="filename">examples</code>
subdirectory. <a class="indexterm" name="id494033"></a>
</p><p>
The Samba 3 HOWTO provided by the Samba team includes a section about
troubleshooting. In addition to that, Part V of the document provides a
step-by-step guide to checking your configuration. You can find Samba 3
HOWTO in
<code class="filename">/usr/share/doc/packages/samba/Samba3-HOWTO.pdf</code> after
installing the package <code class="systemitem">samba-doc</code>.
</p><p>
Also read the Samba page in the openSUSE wiki at
<a class="ulink" href="http://en.openSUSE.org/Samba" target="_top">http://en.openSUSE.org/Samba</a>.
</p><a class="indexterm" name="id494069"></a></div></div><div class="navfooter"><table width="100%" summary="Navigation footer" border="0" class="bctable"><tr><td width="80%"><div class="breadcrumbs"><p><a href="index.html"> Documentation</a><span class="breadcrumbs-sep"> > </span><a href="book.opensuse.reference.html">Reference</a><span class="breadcrumbs-sep"> > </span><a href="part.reference.services.html">Services</a><span class="breadcrumbs-sep"> > </span><strong><a accesskey="p" title="Chapter 26. Sharing File Systems with NFS" href="cha.nfs.html"><span>◀</span></a> <a accesskey="n" title="Chapter 28. The Apache HTTP Server" href="cha.apache2.html"><span>▶</span></a></strong></p></div></td></tr></table></div></body></html>
ACC SHELL 2018