Differences

This shows you the differences between two versions of the page.

--- samba:samba_configuration [2016/07/10 22:01] – peter
+++ samba:samba_configuration [2019/12/04 19:08] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Samba - Samba Configuration ======
-This example configuration will server out data from two directories.
-The "archive" directory will be read only for items we want everyone to see, but never change.
-The "incoming" directory will be read/write for all users.  Sort of a /tmp on a windows share allowing users to make data available to others.  The incoming directory will also be a place the windows machines can put data that an admin can move to the archive section manually.  This is a perfect solution for a home LAN or small corporate network.
-<file bash /etc/samba/smb.conf>
-#============= Global Settings =======================#
-[global]
-   bind interfaces only = yes
-   deadtime = 15
-   default case = lower
-   disable netbios = yes
-   dns proxy = no
-   domain master = yes
-   encrypt passwords = true
-   guest ok = yes
-   guest only = yes
-   hosts allow = 10.10.10.0/255.255.255.0 127.0.0.1
-   hosts deny = all
-   interfaces = em1
-   invalid users = nobody root
-   load printers = no
-   max connections = 10
-   netbios name = samba
-   preferred master = yes
-   preserve case = no
-   printable = no
-   security = share
-   server string = Samba Share
-   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
-   strict sync = no
-   sync always = no
-   syslog = 1
-   syslog only = yes
-   workgroup = WORKGROUP
-#============ Share Definitions =======================#
-[incoming]
-        create mask = 0400
-        directory mask = 0700
-        path = /big_disk/incoming
-        writeable = yes
-[archive]
-        path = /big_disk/archive
-        writeable = no
-</file>
-===== Configuration options: step by step =====
-**bind interfaces only = yes** says that samba will only bind to the default ip of an interface.
-**deadtime = 15** is the amount of minutes samba will consider an idle connection with a windows machine to be dead.
-**default case = lower** means all file and directory names will be forced into lower case format.
-**disable netbios = yes** we do not need netbios broadcasts for the windows shares so we can disable it.  Our clients will be told where the share is located.  Clients that only support netbios won't be able to see your samba server when netbios support is disabled.
-**dns proxy = no** is disabled.  If enabled, this specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.
-**domain master = yes** means the samba server will take over as the "domain master" no mater what the vote is from windows machines.  On the test network the samba server is the only server so this is fine.  Tell smbd(8) to enable WAN-wide browse list collation.  Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup.  Local master browsers in the same workgroup on broadcast-isolated subnets will give this nmbd their local browse lists, and then ask smbd(8) for a complete copy of the browse list for the whole wide area network.  Browser clients will then contact their local master browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.
-**encrypt passwords = true** you will need to encrypt passwords to talk to windows 2000/XP/Vista machines.  This boolean controls whether encrypted passwords will be negotiated with the client.  Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed.  To use encrypted passwords in Samba see the chapter "**User Database**" in the Samba HOWTO Collection.  MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encrypted password support enabled and for which the user accounts have a valid encrypted password.  Refer to the **smbpasswd** command man page for information regarding the creation of encrypted passwords for user accounts.  The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products.  If you want to use plain text passwords you must set this parameter to no.
-**guest ok = yes** allow "guest" access on the samba share.  This mean users will _not_ have to log in.
-**guest only = yes** all machines accessing the shares will be guests.
-**hosts allow = 10.10.10.0/255.255.255.0 127.0.0.1** We are going to allow the entire 10.10.10/24 network as well as localhost.
-**hosts deny = all** is to deny any host not listed in "hosts allow".
-**interfaces = em1** says that we want to bind to the interface em1.  Note: if we also used "bind interfaces only" then samba will bind to the primary ip on the em1 interface.
-**invalid users = admin_user root** No windows share should ever try to log in with the names "admin_user" or "root".
-**load printers = no** in the example we do not have any printers, so we will disable this feature.  By disabling printers the share will not show up to the clients and this reduces confusion.
-**max connections = 10** limits the amount of clients samba will allow access to, to no more than 10.
-**netbios name = samba** is the name in the "()" windows clients will see.  If the name of our server was "Samba Share (samba)".
-**preferred master = yes** says that the samba server will always win the vote for the master server on a windows network.  This boolean parameter controls if nmbd(8) is a preferred master browser for its workgroup.  If this is set to yes, on startup, nmbd will force an election, and it will have a slight advantage in winning the election.  It is recommended that this parameter is used in conjunction with domain master = yes, so that nmbd can guarantee becoming a domain master.  Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser.  This will result in unnecessary broadcast traffic and reduced browsing capabilities.
-**preserve case = no** goes with "default case = lower" and means samba will not keep the uppper case characters.
-printable = no goes with "load printers = no" as we do not have any printers on this server.
-security = share is the security level of the windows shares. With share-level security, the server accepts only a password without an explicit username from the client. The server expects a password for each share, independent of the username. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. Samba developers strongly discourage use of share-level security.
-server string = Samba Share is the name windows clients will see. If the name of our server was "Samba Share (samba)".
-socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 are specifically speed up options for samba to windows connectivity. Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned. This option will typically be used to tune your Samba server for optimal performance for your local network. There is no way that Samba can know what the optimal parameters are for your net, so you must experiment and choose them yourself. We strongly suggest you read the appropriate documentation for your operating system first (perhaps man setsockopt will help). You may find that on some systems Samba will say "Unknown socket option" when you supply an option. This means you either incorrectly typed it or you need to add an include file to includes.h for your OS. Any of the supported socket options may be combined in any way you like, as long as your OS allows it.
-strict syn = no and sync always = no are disabled to speed up samba. Strict syncing is normally used if you are paranoid about data lose in the transfer of files. We have never seen this problem in the real world.
-syslog = 1 says we are going to log to the syslog fascility.
-syslog only = yes means that only the syslog facility will be receiving logs from samba.
-workgroup = WORKGROUP This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain setting.
-Share Definitions
-incoming: The masks are the creating permissions for new files and directories. The directive "path" is the mount point samba will allow clients to see. "writeable = yes" means this mount point is read/write enabled.
-archive: The directive "path" is the mont point samba will allow clients to see and "writeable = no" means this is a read only share.
-Starting the install
-Step 1: Install samba from package or from source. For the example we are using the package from OpenBSD which is Samba v3.01.
-Step 2: Place the smb.conf file from above into the /etc/samba/ directory named smb.conf . You should backup the default smb.conf file the package places there for future reference if you want to.
-Step 3: Setup the directories we are going to share files from. The two directories "archive" and "incoming" are under /big_disk in the example. The windows machines are going to access samba shares as the "nobody" user. Thusly, all files and directories we want the windows share to access must be accessible by the user "nobody". For admin purposes we also are going to use the user "admin_user". The admin_user can do cleanup and move files from "incoming" to "archive" for read only access if needed.
-    achive: chmod 750 and chown admin_user:nobody
-    incoming: chmod 770 and chown admin_user:nobody
-This is what our example structure would look like.
-admin_user@machine: ls -la /big_disk/
-drwxr-xr-x  11 root        wheel   512 Jan 10 10:20 .
-drwxr-xr-x  16 root        wheel   512 Jan 10 10:20 ..
-drwxr-x---   8 admin_user  nobody  512 Jan 10 10:20 archive
-drwxrwx---   2 admin_user  nobody  512 Jan 10 10:20 incoming
-Executing the deamon
-To start samba now that it is installed and the smb.conf from above is in place we can use the following lines. Two daemons actually make up the samba service, smbd and nmbd. You can execute the following lines by hand to start samba now.
-/usr/local/libexec/smbd /etc/samba/smb.conf
-/usr/local/libexec/nmbd /etc/samba/smb.conF
-To start samba at boot, place the following in your /etc/rc.local
-# samba ( /etc/rc.local )
-if [ -x /usr/local/libexec/smbd ]; then
-   echo -n ' samba'
-   /usr/local/libexec/smbd /etc/samba/smb.conf
-   /usr/local/libexec/nmbd /etc/samba/smb.conf
-fi
-Re-read the smb.conf after making any changes
-After you make any modifications to the smb.conf file you will need to notify the smbd and nmbd daemons of the changes. To do this, you can restart Samba by manually killing smbd/nmbd and starting them again or send a HUP to smbd/nmbd. The HUP will tell both daemons to reread the config file without actually having to restart. Either option will work.
-## Option: manually kill and start on OpenBSD
- pkill smbd;pkill nmbd
- /usr/local/libexec/smbd /etc/samba/smb.conf
- /usr/local/libexec/nmbd /etc/samba/smb.conf
-## Option: HUP on OpenBSD
- kill -HUP `cat /var/run/smbd.pid`
- kill -HUP `cat /var/run/nmbd.pid`
-Mounting a smbfs/cifs network export
-To mount the samba partion to a linux or BSD box on the network you can use the following line. Place it in the /etc/fstab on the machine you want to mount from.
-In this example we have two machines, samba_box which runs samba and another machine called BSD_box where we want to see the files from. This line will mount the directory /big_disk/archive from //samba_box to /dir_name on BSD_box. The mount will be read only and log in as guest. This works fine with the example smb.conf from above.
-## /etc/fstab
-## Samba mount (from BSD_box to samba_box)
-//samba_box/big_disk/archive   /dir_name   cifs   ro,username=guest,password=guest 0 0
-Questions?
-How about optimizations and speed improvemnts for samba?Make sure to check out the calomel.org Samba Optimization and Speed Tuning. Many of the speed options are already in the example, but if you add more functionality make sure to check what to watch out for. There are options you could add that will slow samba significantly.
-How can I log what files are accessed what is done with those files and by whom?You need to use at least samba-2.2.7a and use the audit.so module. The samba source code has what you need. Check out the information in ~samba/examples/VFS/audit.c and in the README file in that directory.