Ubuntu - Samba - Samba Configuration

This example configuration will server out data from two directories.

The “archive” directory will be read only for items we want everyone to see, but never change.

The “incoming” directory will be read/write for all users. Sort of a /tmp on a windows share allowing users to make data available to others. The incoming directory will also be a place the windows machines can put data that an admin can move to the archive section manually. This is a perfect solution for a home LAN or small corporate network.

/etc/samba/smb.conf

#============= Global Settings =======================#
 
[global]
   bind interfaces only = yes
   deadtime = 15
   default case = lower
   disable netbios = yes
   dns proxy = no
   domain master = yes
   encrypt passwords = true
   guest ok = yes
   guest only = yes
   hosts allow = 10.10.10.0/255.255.255.0 127.0.0.1
   hosts deny = all
   interfaces = em1
   invalid users = nobody root
   load printers = no
   max connections = 10
   netbios name = samba
   preferred master = yes
   preserve case = no
   printable = no
   security = share
   server string = Samba Share
   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
   strict sync = no
   sync always = no
   syslog = 1
   syslog only = yes
   workgroup = WORKGROUP
 
#============ Share Definitions =======================#
 
[incoming]
        create mask = 0400
        directory mask = 0700
        path = /big_disk/incoming
        writeable = yes
 
[archive]
        path = /big_disk/archive
        writeable = no

• bind interfaces only = yes says that samba will only bind to the default ip of an interface.

• deadtime = 15 is the amount of minutes samba will consider an idle connection with a windows machine to be dead.

• default case = lower means all file and directory names will be forced into lower case format.

• disable netbios = yes we do not need netbios broadcasts for the windows shares so we can disable it. Our clients will be told where the share is located. Clients that only support netbios won't be able to see your samba server when netbios support is disabled.

• dns proxy = no is disabled. If enabled, this specifies that nmbd when acting as a WINS server and finding that a NetBIOS name has not been registered, should treat the NetBIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client.

• domain master = yes means the samba server will take over as the “domain master” no mater what the vote is from windows machines. On the test network the samba server is the only server so this is fine. Tell smbd(8) to enable WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. Local master browsers in the same workgroup on broadcast-isolated subnets will give this nmbd their local browse lists, and then ask smbd(8) for a complete copy of the browse list for the whole wide area network. Browser clients will then contact their local master browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.

• encrypt passwords = true you will need to encrypt passwords to talk to windows 2000/XP/Vista machines. This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the chapter “User Database” in the Samba HOWTO Collection. MS Windows clients that expect Microsoft encrypted passwords and that do not have plain text password support enabled will be able to connect only to a Samba server that has encrypted password support enabled and for which the user accounts have a valid encrypted password. Refer to the smbpasswd command man page for information regarding the creation of encrypted passwords for user accounts. The use of plain text passwords is NOT advised as support for this feature is no longer maintained in Microsoft Windows products. If you want to use plain text passwords you must set this parameter to no.

• guest ok = yes allow “guest” access on the samba share. This mean users will _not_ have to log in.

• guest only = yes all machines accessing the shares will be guests.

• hosts allow = 10.10.10.0/255.255.255.0 127.0.0.1 We are going to allow the entire 10.10.10/24 network as well as localhost.

• hosts deny = all is to deny any host not listed in “hosts allow”.

• interfaces = em1 says that we want to bind to the interface em1. Note: if we also used “bind interfaces only” then samba will bind to the primary ip on the em1 interface.

• invalid users = admin_user root No windows share should ever try to log in with the names “admin_user” or “root”.

• load printers = no in the example we do not have any printers, so we will disable this feature. By disabling printers the share will not show up to the clients and this reduces confusion.

• max connections = 10 limits the amount of clients samba will allow access to, to no more than 10.

• netbios name = samba is the name in the “()” windows clients will see. If the name of our server was “Samba Share (samba)”.

• preferred master = yes says that the samba server will always win the vote for the master server on a windows network. This boolean parameter controls if nmbd(8) is a preferred master browser for its workgroup. If this is set to yes, on startup, nmbd will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with domain master = yes, so that nmbd can guarantee becoming a domain master. Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing capabilities.

• preserve case = no goes with “default case = lower” and means samba will not keep the uppper case characters.

• printable = no goes with “load printers = no” as we do not have any printers on this server.

• security = share is the security level of the windows shares. With share-level security, the server accepts only a password without an explicit username from the client. The server expects a password for each share, independent of the username. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. Samba developers strongly discourage use of share-level security.

• server string = Samba Share is the name windows clients will see. If the name of our server was “Samba Share (samba)”.

• socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 are specifically speed up options for samba to windows connectivity. Socket options are controls on the networking layer of the operating systems which allow the connection to be tuned. This option will typically be used to tune your Samba server for optimal performance for your local network. There is no way that Samba can know what the optimal parameters are for your net, so you must experiment and choose them yourself. We strongly suggest you read the appropriate documentation for your operating system first (perhaps man setsockopt will help). You may find that on some systems Samba will say “Unknown socket option” when you supply an option. This means you either incorrectly typed it or you need to add an include file to includes.h for your OS. Any of the supported socket options may be combined in any way you like, as long as your OS allows it.

• strict syn = no and sync always = no are disabled to speed up samba. Strict syncing is normally used if you are paranoid about data lose in the transfer of files. We have never seen this problem in the real world.

• syslog = 1 says we are going to log to the syslog fascility.

• syslog only = yes means that only the syslog facility will be receiving logs from samba.

• workgroup = WORKGROUP This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain setting.

• incoming: The masks are the creating permissions for new files and directories. The directive “path” is the mount point samba will allow clients to see. “writeable = yes” means this mount point is read/write enabled.

• archive: The directive “path” is the mont point samba will allow clients to see and “writeable = no” means this is a read only share.

Step 1: Install samba from package or from source. For the example we are using the package from OpenBSD which is Samba v3.01.

Step 2: Place the smb.conf file from above into the /etc/samba/ directory named smb.conf. You should backup the default smb.conf file the package places there for future reference if you want to.

Step 3: Setup the directories we are going to share files from. The two directories “archive” and “incoming” are under /big_disk in the example. The windows machines are going to access samba shares as the “nobody” user. Thusly, all files and directories we want the windows share to access must be accessible by the user “nobody”. For admin purposes we also are going to use the user “admin_user”. The admin_user can do cleanup and move files from “incoming” to “archive” for read only access if needed.

• achive: chmod 750 and chown admin_user:nobody
• incoming: chmod 770 and chown admin_user:nobody

This is what our example structure would look like.

admin_user@machine: ls -la /big_disk/
drwxr-xr-x  11 root        wheel   512 Jan 10 10:20 .
drwxr-xr-x  16 root        wheel   512 Jan 10 10:20 ..
drwxr-x---   8 admin_user  nobody  512 Jan 10 10:20 archive
drwxrwx---   2 admin_user  nobody  512 Jan 10 10:20 incoming

To start samba now that it is installed and the smb.conf from above is in place we can use the following lines. Two daemons actually make up the samba service, smbd and nmbd. You can execute the following lines by hand to start samba now.

/usr/local/libexec/smbd /etc/samba/smb.conf
/usr/local/libexec/nmbd /etc/samba/smb.conF

To start samba at boot, place the following in your /etc/rc.local

/etc/rc.local

# samba ( /etc/rc.local )
if [ -x /usr/local/libexec/smbd ]; then
   echo -n ' samba'
   /usr/local/libexec/smbd /etc/samba/smb.conf
   /usr/local/libexec/nmbd /etc/samba/smb.conf
fi

Re-read the smb.conf after making any changes

After you make any modifications to the smb.conf file you will need to notify the smbd and nmbd daemons of the changes. To do this, you can restart Samba by manually killing smbd/nmbd and starting them again or send a HUP to smbd/nmbd. The HUP will tell both daemons to reread the config file without actually having to restart. Either option will work.

## Option: manually kill and start on OpenBSD
pkill smbd;pkill nmbd
/usr/local/libexec/smbd /etc/samba/smb.conf
/usr/local/libexec/nmbd /etc/samba/smb.conf
 
## Option: HUP on OpenBSD
kill -HUP `cat /var/run/smbd.pid`
kill -HUP `cat /var/run/nmbd.pid`

To mount the samba partition to a Linux or BSD box on the network you can use the following line.

Place it in the /etc/fstab on the machine you want to mount from.

In this example we have two machines, samba_box which runs samba and another machine called BSD_box where we want to see the files from. This line will mount the directory /big_disk/archive from //samba_box to /dir_name on BSD_box. The mount will be read only and log in as guest. This works fine with the example smb.conf from above.

/etc/fstab

## Samba mount (from BSD_box to samba_box)
//samba_box/big_disk/archive   /dir_name   cifs   ro,username=guest,password=guest 0 0