22.6. Samba Server Types and the smb.conf File
/etc/samba/smb.confconfiguration file. Although the default
smb.conffile is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
smb.conffile for a successful configuration.
22.6.1. Stand-alone Server
220.127.116.11. Anonymous Read-Only
smb.conffile shows a sample configuration needed to implement anonymous read-only file sharing. The
security = shareparameter makes a share anonymous. Note, security levels for a single Samba server cannot be mixed. The
securitydirective is a global Samba parameter located in the
[global]configuration section of the
[global] workgroup = DOCS netbios name = DOCS_SRV security = share [data] comment = Documentation Samba Server path = /export read only = Yes guest only = Yes
18.104.22.168. Anonymous Read/Write
smb.conffile shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the
read onlydirective to
force groupdirectives are also added to enforce the ownership of any newly placed files specified in the share.
force user) and group (
force group) in the
[global] workgroup = DOCS netbios name = DOCS_SRV security = share [data] comment = Data path = /export force user = docsbot force group = users read only = No guest ok = Yes
22.214.171.124. Anonymous Print Server
smb.conffile shows a sample configuration needed to implement an anonymous print server. Setting
noas shown does not list the printer in Windows Network Neighborhood. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to
DOCS_SRVusing NetBIOS, the client can have access to the printer if the client is also part of the
DOCSworkgroup. It is also assumed that the client has the correct local printer driver installed, as the
use client driverdirective is set to
Yes. In this case, the Samba server has no responsibility for sharing printer drivers to the client.
[global] workgroup = DOCS netbios name = DOCS_SRV security = share printcap name = cups disable spools= Yes show add printer wizard = No printing = cups [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes use client driver = Yes browseable = Yes
126.96.36.199. Secure Read/Write File and Print Server
smb.conffile shows a sample configuration needed to implement a secure read/write print server. Setting the
userforces Samba to authenticate client connections. Notice the
[homes]share does not have a
force groupdirective as the
[public]share does. The
[homes]share uses the authenticated user details for any files created as opposed to the
[global] workgroup = DOCS netbios name = DOCS_SRV security = user printcap name = cups disable spools = Yes show add printer wizard = No printing = cups [homes] comment = Home Directories valid users = %S read only = No browseable = No [public] comment = Data path = /export force user = docsbot force group = users guest ok = Yes [printers] comment = All Printers path = /var/spool/samba printer admin = john, ed, @admins create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes browseable = Yes
22.6.2. Domain Member Server
188.8.131.52. Active Directory Domain Member Server
smb.conffile shows a sample configuration needed to implement an Active Directory domain member server. In this example, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos
realmparameter is shown in all caps (for example
realm = EXAMPLE.COM). Since Windows 2000/2003 requires Kerberos for Active Directory authentication, the
realmdirective is required. If Active Directory and Kerberos are running on different servers, the
password serverdirective may be required to help the distinction.
[global] realm = EXAMPLE.COM security = ADS encrypt passwords = yes # Optional. Use only if Samba cannot determine the Kerberos server automatically. password server = kerberos.example.com
- Configuration of the
smb.conffile on the member server
- Configuration of Kerberos, including the
/etc/krb5.conffile, on the member server
- Creation of the machine account on the Active Directory domain server
- Association of the member server to the Active Directory domain
kinitcommand is a Kerberos initialization script that references the Active Directory administrator account and Kerberos realm. Since Active Directory requires Kerberos tickets,
kinitobtains and caches a Kerberos ticket-granting ticket for client/server authentication. For more information on Kerberos, the
/etc/krb5.conffile, and the
kinitcommand, refer to Section 48.6, “Kerberos”.
net ads join -S windows1.example.com -U administrator%password
windows1was automatically found in the corresponding Kerberos realm (the
kinitcommand succeeded), the
netcommand connects to the Active Directory server using its required administrator account and password. This creates the appropriate machine account on the Active Directory and grants permissions to the Samba domain member server to join the domain.
security = adsand not
security = useris used, a local password backend such as
smbpasswdis not needed. Older clients that do not support
security = adsare authenticated as if
security = domainhad been set. This change does not affect functionality and allows local users not previously in the domain.
184.108.40.206. Windows NT4-based Domain Member Server
smb.conffile shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the
smb.conffile simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server.
[global] workgroup = DOCS netbios name = DOCS_SRV security = domain [homes] comment = Home Directories valid users = %S read only = No browseable = No [public] comment = Data path = /export force user = docsbot force group = users guest ok = Yes
smb.conffile to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003, the
smb.conffile is easily modifiable to incorporate the infrastructure change to Active Directory if needed.
smb.conffile, join the domain before starting Samba by typing the following command as root:
net rpc join -U administrator%password
-Soption, which specifies the domain server hostname, does not need to be stated in the
net rpc joincommand. Samba uses the hostname specified by the
workgroupdirective in the
smb.conffile instead of it being stated explicitly.
22.6.3. Domain Controller
220.127.116.11. Primary Domain Controller (PDC) using
tdbsampassword database backend. Planned to replace the aging
tdbsamhas numerous improvements that are explained in more detail in Section 22.8, “Samba Account Information Databases”. The
passdb backenddirective controls which backend is to be used for the PDC.
[global] workgroup = DOCS netbios name = DOCS_SRV passdb backend = tdbsam security = user add user script = /usr/sbin/useradd -m "%u" delete user script = /usr/sbin/userdel -r "%u" add group script = /usr/sbin/groupadd "%g" delete group script = /usr/sbin/groupdel "%g" add user to group script = /usr/sbin/usermod -G "%g" "%u" add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines "%u" # The following specifies the default logon script # Per user logon scripts can be specified in the user # account using pdbedit logon script = logon.bat # This sets the default profile path. # Set per user paths with pdbedit logon drive = H: domain logons = Yes os level = 35 preferred master = Yes domain master = Yes [homes] comment = Home Directories valid users = %S read only = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon/scripts browseable = No read only = No # For profiles to work, create a user directory under the # path shown.
mkdir -p /var/lib/samba/profiles/john[Profiles] comment = Roaming Profile Share path = /var/lib/samba/profiles read only = No browseable = No guest ok = Yes profile acls = Yes # Other resource shares ... ...
tdbsamfollow these steps:
- Use a configuration of the
smb.conffile as shown in the example above.
- Add the root user to the Samba password database.
smbpasswd -a rootProvide the password here.
- Start the
- Make sure all profile, user, and netlogon directories are created.
- Add groups that users can be members of.
groupadd -f users
groupadd -f nobody
groupadd -f ntadmins
- Associate the UNIX groups with their respective Windows groups.
net groupmap add ntgroup="Domain Users" unixgroup=users
net groupmap add ntgroup="Domain Guests" unixgroup=nobody
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
- Grant access rights to a user or a group. For example, to grant the right to add client machines to the domain on a Samba domain controller, to the members to the Domain Admins group, execute the following command:
net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U root
tdbsamauthentication backend. LDAP is recommended in these cases.