Show Table of Contents
16.1.2. Verifying the
16.1.5.3.2. The
16.1.5.4.1. Using the
16.1.5.4.2. Using the
16.1.5.4.2.1. Prerequisites of the
16.1.5.4.2.2. Configuring the
16.1.5.4.3. Using the
16.1.5.4.3.1. Benefits and Drawbacks of Using the
16.1.5.4.3.2. Configuring the
16.1.5.4.4. Using the
16.1.5.4.4.1. Benefits and Drawbacks of Using the
16.1.5.4.4.2. Configuring the
16.1.8.1. The Samba
16.1.10.1. Using the
16.1.10.1.1. Using the
16.1.10.1.2. Using the
16.1.10.1.4. Using the
16.1.10.2. Using the
16.1.10.3. Using the
16.1.10.4. Using the
16.1.10.5. Using the
16.1.10.5.1. Using
16.1.10.5.2. Using
16.1.10.6. Using the
16.1.10.7. Using the
16.1.10.8. Using the
16.1.10.9. Using the
16.1.10.10. Using the
16.1.10.11. Using the
Chapter 16. File and Print Servers
This chapter guides you through the installation and configuration of Samba, an open source implementation of the Server Message Block (SMB) and common Internet file system (
CIFS) protocol, and vsftpd, the primary FTP server shipped with Red Hat Enterprise Linux. Additionally, it explains how to use the Print Settings tool to configure printers.
16.1. Samba
Samba implements the Server Message Block (SMB) protocol in Red Hat Enterprise Linux. The SMB protocol is used to access resources on a server, such as file shares and shared printers. Additionally, Samba implements the Distributed Computing Environment Remote Procedure Call (DCE RPC) protocol used by Microsoft Windows.
You can run Samba as:
- An Active Directory (AD) or NT4 domain member
- A standalone server
- An NT4 Primary Domain Controller (PDC) or Backup Domain Controller (BDC)
Note
Red Hat supports these modes only in existing installations with Windows versions which support NT4 domains. Red Hat recommends not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and Windows Server 2008 R2 do not support NT4 domains.
Independently of the installation mode, you can optionally share directories and printers. This enables Samba to act as a file and print server.
Note
Red Hat does not support running Samba as an AD domain controller (DC).
16.1.1. The Samba Services
Samba provides the following services:
smbd- This service provides file sharing and printing services using the SMB protocol. Additionally, the service is responsible for resource locking and for authenticating connecting users. The
smbsystemdservice starts and stops thesmbddaemon.To use thesmbdservice, install the samba package. nmbd- This service provides host name and IP resolution using the NetBIOS over IPv4 protocol. Additionally to the name resolution, the
nmbdservice enables browsing the SMB network to locate domains, work groups, hosts, file shares, and printers. For this, the service either reports this information directly to the broadcasting client or forwards it to a local or master browser. Thenmbsystemdservice starts and stops thenmbddaemon.Note that modern SMB networks use DNS to resolve clients and IP addresses.To use thenmbdservice, install the samba package. winbindd- The
winbinddservice provides an interface for the Name Service Switch (NSS) to use AD or NT4 domain users and groups on the local system. This enables, for example, domain users to authenticate to services hosted on a Samba server or to other local services. Thewinbindsystemdservice starts and stops thewinbindddaemon.If you set up Samba as a domain member,winbinddmust be started before thesmbdservice. Otherwise, domain users and groups are not available to the local system.To use thewinbinddservice, install the samba-winbind package.Important
Red Hat only supports running Samba as a server with thewinbinddservice to provide domain users and groups to the local system. Due to certain limitations, such as missing Windows access control list (ACL) support and NT LAN Manager (NTLM) fallback, the System Security Services Daemon (SSSD) is not supported.
16.1.2. Verifying the smb.conf File by Using the testparm Utility
The
testparm utility verifies that the Samba configuration in the /etc/samba/smb.conf file is correct. The utility detects invalid parameters and values, but also incorrect settings, such as for ID mapping. If testparm reports no problem, the Samba services will successfully load the /etc/samba/smb.conf file. Note that testparm cannot verify that the configured services will be available or work as expected.
Important
Red Hat recommends that you verify the
/etc/samba/smb.conf file by using testparm after each modification of this file.
To verify the
/etc/samba/smb.conf file, run the testparm utility as the root user. If testparm reports incorrect parameters, values, or other errors in the configuration, fix the problem and run the utility again.
Example 16.1. Using testparm
The following output reports a non-existent parameter and an incorrect ID mapping configuration:
~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Unknown parameter encountered: "log levell" Processing section "[example_share]" Loaded services file OK. ERROR: The idmap range for the domain * (tdb) overlaps with the range of DOMAIN (ad)! Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] ... [example_share] ...
16.1.3. Understanding the Samba Security Modes
The
security parameter in the [global] section in the /etc/samba/smb.conf file manages how Samba authenticates users that are connecting to the service. Depending on the mode you install Samba in, the parameter must be set to different values:
- On an AD domain member, set
security=ads.In this mode, Samba uses Kerberos to authenticate AD users.For details about setting up Samba as a domain member, see Section 16.1.5, “Setting up Samba as a Domain Member”. - On a standalone server, set
security=user.In this mode, Samba uses a local database to authenticate connecting users.For details about setting up Samba as a standalone server, see Section 16.1.4, “Setting up Samba as a Standalone Server”. - On an NT4 PDC or BDC, set
security=user.In this mode, Samba authenticates users to a local or LDAP database. - On an NT4 domain member, set
security=domain.In this mode, Samba authenticates connecting users to an NT4 PDC or BDC. You cannot use this mode on AD domain members.For details about setting up Samba as a domain member, see Section 16.1.5, “Setting up Samba as a Domain Member”.
For further details, see the description of the
security parameter in the smb.conf(5) man page.
16.1.4. Setting up Samba as a Standalone Server
In certain situations, administrators want to set up a Samba server that is not a member of a domain. In this installation mode, Samba authenticates users to a local database instead of to a central DC. Additionally, you can enable guest access to allow users to connect to one or multiple services without authentication.
16.1.4.1. Setting up the Server Configuration for the Standalone Server
To set up Samba as a standalone server:
Procedure 16.1. Setting up Samba as a Standalone Server
- Install the samba package:
~]# yum install samba
- Edit the
/etc/samba/smb.conffile and set the following parameters:[global] workgroup = Example-WG netbios name = Server security = user log file = /var/log/samba/%m.log log level = 1
This configuration defines a standalone server namedServerwithin theExample-WGwork group. Additionally, this configuration enables logging on a minimal level (1) and log files will be stored in the/var/log/samba/directory. Samba will expand the%mmacro in thelog fileparameter to the NetBIOS name of connecting clients. This enables individual log files for each client.For further details, see the parameter descriptions in the smb.conf(5) man page. - Configure file or printer sharing. See:
- Verify the
/etc/samba/smb.conffile:~]# testparm
- If you set up shares that require authentication, create the user accounts. For details, see Section 16.1.4.2, “Creating and Enabling Local User Accounts”.
- Open the required ports and reload the firewall configuration by using the
firewall-cmdutility:~]# firewall-cmd --permanent --add-port={139/tcp,445/tcp} ~]# firewall-cmd --reload - Start the
smbservice:~]# systemctl start smb
- Optionally, enable the
smbservice to start automatically when the system boots:~]# systemctl enable smb
16.1.4.2. Creating and Enabling Local User Accounts
To enable users to authenticate when they connect to a share, you must create the accounts on the Samba host both in the operating system and in the Samba database. Samba requires the operating system account to validate the Access Control Lists (ACL) on file system objects and the Samba account to authenticate connecting users.
If you use the
passdb backend = tdbsam default setting, Samba stores user accounts in the /var/lib/samba/private/passdb.tdb database.
For example, to create the
example Samba user:
Procedure 16.2. Creating a Samba User
- Create the operating system account:
~]# useradd -M -s /sbin/nologin example
The previous command adds theexampleaccount without creating a home directory. If the account is only used to authenticate to Samba, assign the/sbin/nologincommand as shell to prevent the account from logging in locally. - Set a password to the operating system account to enable it:
~]# passwd example Enter new UNIX password: password Retype new UNIX password: password passwd: password updated successfully
Samba does not use the password set on the operating system account to authenticate. However, you need to set a password to enable the account. If an account is disabled, Samba denies access if this user connects. - Add the user to the Samba database and set a password to the account:
~]# smbpasswd -a example New SMB password: password Retype new SMB password: password Added user example.
Use this password to authenticate when using this account to connect to a Samba share. - Enable the Samba account:
~]# smbpasswd -e example Enabled user example.
16.1.5. Setting up Samba as a Domain Member
Administrators running an AD or NT4 domain often want to use Samba to join their Red Hat Enterprise Linux server as a member to the domain. This enables you to:
- Access domain resources on other domain members
- Authenticate domain users to local services, such as
sshd - Share directories and printers hosted on the server to act as a file and print server
16.1.5.1. Joining a Domain
To join a Red Hat Enterprise Linux system to a domain:
Procedure 16.3. Joining a Red Hat Enterprise Linux System to a Domain
- Install the following packages:
~]# yum install realmd oddjob-mkhomedir oddjob samba-winbind-clients \ samba-winbind samba-common-tools - If you join an AD, additionally install the samba-winbind-krb5-locator package:
~]# yum install samba-winbind-krb5-locator
This plug-in enables Kerberos to locate the Key Distribution Center (KDC) based on AD sites using DNS service records. - Optionally, rename the existing
/etc/samba/smb.confSamba configuration file:~]# mv /etc/samba/smb.conf /etc/samba/smb.conf.old
- Join the domain. For example, to join a domain named
ad.example.com~]# realm join --client-software=winbind ad.example.com
Using the previous command, therealmutility automatically:- Creates a
/etc/samba/smb.conffile for a membership in thead.example.comdomain - Adds the
winbindmodule for user and group lookups to the/etc/nsswitch.conffile - Configures the Kerberos client in the
/etc/krb5.conffile for the AD membership - Updates the Pluggable Authentication Module (PAM) configuration files in the
/etc/pam.d/directory - Starts the
winbindservice and enables the service to start when the system boots
For further details about therealmutility, see the realm(8) man page and the corresponding section in the Red Hat Windows Integration Guide. - Optionally, set an alternative ID mapping back end or customized ID mapping settings in the
/etc/samba/smb.conffile. For details, see Section 16.1.5.3, “Understanding ID Mapping”. - Optionally, verify the configuration. See Section 16.1.5.2, “Verifying That Samba Was Correctly Joined As a Domain Member”.
- Start the
winbinddandsmbdservice:# systemctl start winbindd # systemctl start smbd
Important
To enable Samba to query domain user and group information, thewinbinddservice must be running before you startsmbd.
16.1.5.2. Verifying That Samba Was Correctly Joined As a Domain Member
After you joined a Red Hat Enterprise Linux as a domain member, you can run different tests to verify that the join succeeded. See:
Verifying That the Operating System Can Retrieve Domain User Accounts and Groups
Use the
getent utility to verify that the operating system can retrieve domain users and groups. For example:
- To query the
administratoraccount in theADdomain:~]# getent passwd AD\\administrator AD\administrator:*:10000:10000::/home/administrator@AD:/bin/bash
- To query the members of the
Domain Usersgroup in theADdomain:~]# getent group "AD\\Domain Users" AD\domain users:x:10000:user
If the command works correctly, verify that you can use domain users and groups when you set permissions on files and directories. For example, to set the owner of the
/srv/samba/example.txt file to administrator and the group to Domain Admins:
~]# chown administrator:"Domain Admins" /srv/samba/example.txt
Verifying If AD Domain Users Can Obtain a Kerberos Ticket
In an AD environment, users can obtain a Kerberos ticket from the DC. For example, to verify if the
administrator user can obtain a Kerberos ticket:
Note
To use the
kinit and klist utilities, install the krb5-workstation package on the Samba domain member.
Procedure 16.4. Obtaining a Kerberos Ticket
- Obtain a ticket for the
administrator@AD.EXAMPLE.COMprincipal:~]# kinit administrator@AD.EXAMPLE.COM
- Display the cached Kerberos ticket:
~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: administrator@AD.EXAMPLE.COM Valid starting Expires Service principal 11.09.2017 14:46:21 12.09.2017 00:46:21 krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM renew until 18.09.2017 14:46:19
Listing the Available Domains
To list all domains available through the
winbindd service, enter:
~]# wbinfo --all-domains
If Samba was successfully joined as a domain member, the command displays the built-in and local host name, as well as the domain Samba is a member of including trusted domains.
Example 16.2. Displaying the Available Domains
~]# wbinfo --all-domains BUILTIN SAMBA-SERVER AD
16.1.5.3. Understanding ID Mapping
Windows domains distinguish users and groups by unique Security Identifiers (SID). However, Linux requires unique UIDs and GIDs for each user and group. If you run Samba as a domain member, the
winbindd service is responsible for providing information about domain users and groups to the operating system.
To enable the
winbindd service to provide unique IDs for users and groups to Linux, you must configure ID mapping in the /etc/samba/smb.conf file for:
- The local database (default domain)
- The AD or NT4 domain the Samba server is a member of
- Each trusted domain from which users must be able to access resources on this Samba server
16.1.5.3.1. Planning ID Ranges
Regardless of whether you store the Linux UIDs and GIDs in AD or if you configure Samba to generate them, each domain configuration requires a unique ID range that must not overlap with any of the other domains.
Warning
If you set overlapping ID ranges, Samba fails to work correctly.
Example 16.3. Unique ID Ranges
The following shows non-overlapping ID mapping ranges for the default (
*), AD-DOM, and the TRUST-DOM domains.
[global] ... idmap config * : backend = tdb idmap config * : range = 10000-999999 idmap config AD-DOM:backend = rid idmap config AD-DOM:range = 2000000-2999999 idmap config TRUST-DOM:backend = rid idmap config TRUST-DOM:range = 4000000-4999999
Important
You can only assign one range per domain. Therefore, leave enough space between the domains ranges. This enables you to extend the range later if your domain grows.
If you later assign a different range to a domain, the ownership of files and directories previously created by these users and groups will be lost.
16.1.5.3.2. The * Default Domain
In a domain environment, you add one ID mapping configuration for each of the following:
- The domain the Samba server is a member of
- Each trusted domain that should be able to access the Samba server
However, for all other objects, Samba assigns IDs from the default domain. This includes:
- Local Samba users and groups
- Samba built-in accounts and groups, such as
BUILTIN\Administrators
Important
You must configure the default domain as described in this section to enable Samba to operate correctly.
The default domain back end must be writable to permanently store the assigned IDs.
For the default domain, you can use one of the following back ends:
tdb- When you configure the default domain to use the
tdbback end, set an ID range that is big enough to include objects that will be created in the future and that are not part of a defined domain ID mapping configuration.For example, set the following in the[global]section in the/etc/samba/smb.conffile:idmap config * : backend = tdb idmap config * : range = 10000-999999
For further details, see Section 16.1.5.4.1, “Using thetdbID Mapping Back End”. autorid- When you configure the default domain to use the
autoridback end, adding additional ID mapping configurations for domains is optional.For example, set the following in the[global]section in the/etc/samba/smb.conffile:idmap config * : backend = autorid idmap config * : range = 10000-999999
For further details, see Section 16.1.5.4.4.2, “Configuring theautoridBack End”.
16.1.5.4. The Different ID Mapping Back Ends
Samba provides different ID mapping back ends for specific configurations. The most frequently used back ends are:
Table 16.1. Frequently Used ID Mapping Back Ends
| Back End | Use Case |
|---|---|
tdb | The * default domain only |
ad | AD domains only |
rid | AD and NT4 domains |
autorid | AD, NT4, and the * default domain |
The following sections describe the benefits, recommended scenarios where to use the back end, and how to configure it.
16.1.5.4.1. Using the tdb ID Mapping Back End
The
winbindd service uses the writable tdb ID mapping back end by default to store Security Identifier (SID), UID, and GID mapping tables. This includes local users, groups, and built-in principals.
Use this back end only for the
* default domain. For example:
idmap config * : backend = tdb idmap config * : range = 10000-999999
For further details about the
* default domain, see Section 16.1.5.3.2, “The * Default Domain”.
16.1.5.4.2. Using the ad ID Mapping Back End
The
ad ID mapping back end implements a read-only API to read account and group information from AD. This provides the following benefits:
- All user and group settings are stored centrally in AD.
- User and group IDs are consistent on all Samba servers that use this back end.
- The IDs are not stored in a local database which can corrupt, and therefore file ownerships cannot be lost.
The
ad back end reads the following attributes from AD:
Table 16.2. Attributes the ad Back End Reads from User and Group Objects
| AD Attribute Name | Object Type | Mapped to |
|---|---|---|
sAMAccountName | User and group | User or group name, depending on the object |
uidNumber | User | User ID (UID) |
gidNumber | Group | Group ID (GID) |
loginShell [a] | User | Path to the shell of the user |
unixHomeDirectory [a] | User | Path to the home directory of the user |
primaryGroupID [b] | User | Primary group ID |
[a]
Samba only reads this attribute if you set idmap config DOMAIN:unix_nss_info = yes.
[b]
Samba only reads this attribute if you set idmap config DOMAIN:unix_primary_group = yes.
| ||
16.1.5.4.2.1. Prerequisites of the ad Back End
To use the
ad ID mapping back end:
- Both users and groups must have unique IDs set in AD, and the IDs must be within the range configured in the
/etc/samba/smb.conffile. Objects whose IDs are outside of the range will not be available on the Samba server. - Users and groups must have all required attributes set in AD. If required attributes are missing, the user or group will not be available on the Samba server. The required attributes depend on your configuration. See Table 16.2, “Attributes the
adBack End Reads from User and Group Objects”.
16.1.5.4.2.2. Configuring the ad Back End
To configure a Samba AD member to use the
ad ID mapping back end:
Procedure 16.5. Configuring the ad Back End on a Domain Member
- Edit the
[global]section in the/etc/samba/smb.conffile:- Add an ID mapping configuration for the default domain (
*) if it does not exist. For example:idmap config * : backend = tdb idmap config * : range = 10000-999999
For further details about the default domain configuration, see Section 16.1.5.3.2, “The*Default Domain”. - Enable the
adID mapping back end for the AD domain:idmap config DOMAIN : backend = ad
- Set the range of IDs that is assigned to users and groups in the AD domain. For example:
idmap config DOMAIN : range = 2000000-2999999
Important
The range must not overlap with any other domain configuration on this server. Additionally, the range must be set big enough to include all IDs assigned in the future. For further details, see Section 16.1.5.3.1, “Planning ID Ranges”. - Set that Samba uses the RFC 2307 schema when reading attributes from AD:
idmap config DOMAIN : schema_mode = rfc2307
- To enable Samba to read the login shell and the path to the users home directory from the corresponding AD attribute, set:
idmap config DOMAIN : unix_nss_info = yes
Alternatively, you can set a uniform domain-wide home directory path and login shell that is applied to all users. For example:template shell = /bin/bash template homedir = /home/%U
For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page. - By default, Samba uses the
primaryGroupIDattribute of a user object as the user's primary group on Linux. Alternatively, you can configure Samba to use the value set in thegidNumberattribute instead:idmap config DOMAIN : unix_primary_group = yes
- Verify the
/etc/samba/smb.conffile:~]# testparm
- Reload the Samba configuration:
~]# smbcontrol all reload-config
- Verify that the settings work as expected. See the section called “Verifying That the Operating System Can Retrieve Domain User Accounts and Groups”.
For further details, see the smb.conf(5) and idmap_ad(8) man pages.
16.1.5.4.3. Using the rid ID Mapping Back End
Samba can use the relative identifier (RID) of a Windows SID to generate an ID on Red Hat Enterprise Linux.
Note
The RID is the last part of a SID. For example, if the SID of a user is
S-1-5-21-5421822485-1151247151-421485315-30014, then 30014 is the corresponding RID. For details, how Samba calculates the local ID, see the idmap_rid(8) man page.
The
rid ID mapping back end implements a read-only API to calculate account and group information based on an algorithmic mapping scheme for AD and NT4 domains. When you configure the back end, you must set the lowest and highest RID in the idmap config DOMAIN : range parameter. Samba will not map users or groups with a lower or higher RID than set in this parameter.
Important
As a read-only back end,
rid cannot assign new IDs, such as for BUILTIN groups. Therefore, do not use this back end for the * default domain.
16.1.5.4.3.1. Benefits and Drawbacks of Using the rid Back End
Benefits
- All domain users and groups that have an RID within the configured range are automatically available on the domain member.
- You do not need to manually assign IDs, home directories, and login shells.
Drawbacks
- All domain users get the same login shell and home directory assigned. However, you can use variables.
- User and group IDs are only the same across Samba domain members if all use the
ridback end with the same ID range settings. - You cannot exclude individual users or groups from being available on the domain member. Only users and groups outside of the configured range are excluded.
- Based on the formulas the
winbinddservice uses to calculate the IDs, duplicate IDs can occur in multi-domain environments if objects in different domains have the same RID.
16.1.5.4.3.2. Configuring the rid Back End
To configure a Samba domain member to use the
rid ID mapping back end:
Procedure 16.6. Configuring the rid Back End on a Domain Member
- Edit the
[global]section in the/etc/samba/smb.conffile:- Add an ID mapping configuration for the default domain (
*) if it does not exist. For example:idmap config * : backend = tdb idmap config * : range = 10000-999999
For further details about the default domain configuration, see Section 16.1.5.3.2, “The*Default Domain”. - Enable the
ridID mapping back end for the domain:idmap config DOMAIN : backend = rid
- Set a range that is big enough to include all RIDs that will be assigned in the future. For example:
idmap config DOMAIN : range = 2000000-2999999
Samba ignores users and groups whose RIDs in this domain are not within the range.Important
The range must not overlap with any other domain configuration on this server. For further details, see Section 16.1.5.3.1, “Planning ID Ranges”. - Set a shell and home directory path that will be assigned to all mapped users. For example:
template shell = /bin/bash template homedir = /home/%U
For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page.
- Verify the
/etc/samba/smb.conffile:~]# testparm
- Reload the Samba configuration:
~]# smbcontrol all reload-config
- Verify that the settings work as expected. See the section called “Verifying That the Operating System Can Retrieve Domain User Accounts and Groups”.
16.1.5.4.4. Using the autorid ID Mapping Back End [2]
The
autorid back end works similar to the rid ID mapping back end, but can automatically assign IDs for different domains. This enables you to use the autorid back end in the following situations:
- Only for the
*default domain. - For the
*default domain and additional domains, without the need to create ID mapping configurations for each of the additional domains. - Only for specific domains.
16.1.5.4.4.1. Benefits and Drawbacks of Using the autorid Back End
Benefits
- All domain users and groups whose calculated UID and GID is within the configured range are automatically available on the domain member.
- You do not need to manually assign IDs, home directories, and login shells.
- No duplicate IDs, even if multiple objects in a multi-domain environment have the same RID.
Drawbacks
- User and group IDs are not the same across Samba domain members.
- All domain users get the same login shell and home directory assigned. However, you can use variables.
- You cannot exclude individual users or groups from being available on the domain member. Only users and groups whose calculated UID or GID is outside of the configured range are excluded.
16.1.5.4.4.2. Configuring the autorid Back End
To configure a Samba domain member to use the
autorid ID mapping back end for the * default domain:
Note
If you use
autorid for the default domain, adding additional ID mapping configuration for domains is optional.
Procedure 16.7. Configuring the autorid Back End on a Domain Member
- Edit the
[global]section in the/etc/samba/smb.conffile:- Enable the
autoridID mapping back end for the*default domain:idmap config * : backend = autorid
- Set a range that is big enough to assign IDs for all existing and future objects. For example:
idmap config * : range = 10000-999999
Samba ignores users and groups whose calculated IDs in this domain are not within the range. For details about how the back end calculated IDs, see the THE MAPPING FORMULAS section in the idmap_autorid(8) man page.Warning
After you set the range and Samba starts using it, you can only increase the upper limit of the range. Any other change to the range can result in new ID assignments, and thus in loosing file ownerships. - Optionally, set a range size. For example:
idmap config * : rangesize = 200000
Samba assigns this number of continuous IDs for each domain's object until all IDs from the range set in theidmap config * : rangeparameter are taken. For further details, see therangesizeparameter description in the idmap_autorid(8) man page. - Set a shell and home directory path that will be assigned to all mapped users. For example:
template shell = /bin/bash template homedir = /home/%U
For details about variable substitution, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page. - Optionally, add additional ID mapping configuration for domains. If no configuration for an individual domain is available, Samba calculates the ID using the
autoridback end settings in the previously configured*default domain.Important
If you configure additional back ends for individual domains, the ranges for all ID mapping configuration must not overlap. For further details, see Section 16.1.5.3.1, “Planning ID Ranges”.
- Verify the
/etc/samba/smb.conffile:~]# testparm
- Reload the Samba configuration:
~]# smbcontrol all reload-config
- Verify that the settings work as expected. See the section called “Verifying That the Operating System Can Retrieve Domain User Accounts and Groups”.
16.1.6. Integrating a Samba File Server Into an IdM Domain
If you run Red Hat Identity Management (IdM) and Samba in your environment, you can configure the Samba server to authenticate IdM users using Kerberos when they access a share.
For details, see the corresponding section in the Red Hat Windows Integration Guide.
16.1.8. Setting up a Samba Print Server [5]
If you set up Samba as a print server, clients in your network can use Samba to print. Additionally, Windows clients can, if configured, download the driver from the Samba server.
Before you can share a printer, set up Samba:
16.1.8.1. The Samba spoolssd Service
The Samba
spoolssd is a service that is integrated into the smbd service. Enable spoolssd in the Samba configuration to significantly increase the performance on print servers with a high number of jobs or printers.
Without
spoolssd, Samba forks the smbd process and initializes the printcap cache for each print job. In case of a large number of printers, the smbd service can become unresponsive for multiple seconds while the cache is initialized. The spoolssd service enables you to start pre-forked smbd processes that are processing print jobs without any delays. The main spoolssd smbd process uses a low amount of memory, and forks and terminates child processes.
To enable the
spoolssd service:
Procedure 16.15. Enabling the spoolssd Service
- Edit the
[global]section in the/etc/samba/smb.conffile:- Add the following parameters:
rpc_server:spoolss = external rpc_daemon:spoolssd = fork
- Optionally, you can set the following parameters:
Parameter Default Description spoolssd:prefork_min_children 5 Minimum number of child processes spoolssd:prefork_max_children 25 Maximum number of child processes spoolssd:prefork_spawn_rate 5 Samba forks the number of new child processes set in this parameter, up to the value set in spoolssd:prefork_max_children, if a new connection is establishedspoolssd:prefork_max_allowed_clients 100 Number of clients, a child process serves spoolssd:prefork_child_min_life 60 Minimum lifetime of a child process in seconds. 60 seconds is the minimum.
- Verify the
/etc/samba/smb.conffile:~]# testparm
- Restart the
smbservice:~]# systemctl restart smb
After you restarted the service, Samba automatically starts
smbd child processes:
~]# ps axf ... 30903 smbd 30912 \_ smbd 30913 \_ smbd 30914 \_ smbd 30915 \_ smbd ...
16.1.8.2. Enabling Print Server Support in Samba
To enable the print server support:
Procedure 16.16. Enabling Print Server Support in Samba
- On the Samba server, set up CUPS and add the printer to the CUPS back end. For details, see Section 16.3, “Print Settings”.
Note
Samba can only forward the print jobs to CUPS if CUPS is installed locally on the Samba print server. - Edit the
/etc/samba/smb.conffile:- If you want to enable the
spoolssdservice, add the following parameters to the[global]section:rpc_server:spoolss = external rpc_daemon:spoolssd = fork
For further details, see Section 16.1.8.1, “The SambaspoolssdService”. - To configure the printing back end, add the
[printers]section:[printers] comment = All Printers path = /var/tmp/ printable = yes create mask = 0600
Important
Theprintersshare name is hard-coded and cannot be changed.
- Verify the
/etc/samba/smb.conffile:~]# testparm
- Open the required ports and reload the firewall configuration using the
firewall-cmdutility:~]# firewall-cmd --permanent --add-service=samba ~]# firewall-cmd --reload
- Restart the
smbservice:~]# systemctl restart smb
After restarting the service, Samba automatically shares all printers that are configured in the CUPS back end. If you want to manually share only specific printers, see Section 16.1.8.3, “Manually Sharing Specific Printers”.
16.1.8.3. Manually Sharing Specific Printers
If you configured Samba as a print server, by default, Samba shares all printers that are configured in the CUPS back end. To share only specific printers:
Procedure 16.17. Manually Sharing a Specific Printer
- Edit the
/etc/samba/smb.conffile:- In the
[global]section, disable automatic printer sharing by setting:load printers = no
- Add a section for each printer you want to share. For example, to share the printer named
examplein the CUPS back end asExample-Printerin Samba, add the following section:[Example-Printer] path = /var/tmp/ printable = yes printer name = example
You do not need individual spool directories for each printer. You can set the same spool directory in thepathparameter for the printer as you set in the[printers]section.
- Verify the
/etc/samba/smb.conffile:~]# testparm
- Reload the Samba configuration:
~]# smbcontrol all reload-config
16.1.8.4. Setting up Automatic Printer Driver Downloads for Windows Clients [6]
If you are running a Samba print server for Windows clients, you can upload drivers and preconfigure printers. If a user connects to a printer, Windows automatically downloads and installs the driver locally on the client. The user does not require local administrator permissions for the installation. Additionally, Windows applies preconfigured driver settings, such as the number of trays.
Note
Before setting up automatic printer driver download, must configure Samba as a print server and share a printer. For details, see Section 16.1.8, “Setting up a Samba Print Server ”.
16.1.8.4.1. Basic Information about Printer Drivers
This section provides general information about printer drivers.
Supported Driver Model Version
Samba only supports the printer driver model version 3 which is supported in Windows 2000 and later, and Windows Server 2000 and later. Samba does not support the driver model version 4, introduced in Windows 8 and Windows Server 2012. However, these and later Windows versions also support version 3 drivers.
Package-aware Drivers
Samba does not support package-aware drivers.
Preparing a Printer Driver for Being Uploaded
Before you can upload a driver to a Samba print server:
- Unpack the driver if it is provided in a compressed format.
- Some drivers require to start a setup application that installs the driver locally on a Windows host. In certain situations, the installer extracts the individual files into the operating system's temporary folder during the setup runs. To use the driver files for uploading:
- Start the installer.
- Copy the files from the temporary folder to a new location.
- Cancel the installation.
Ask your printer manufacturer for drivers that support uploading to a print server.
Providing 32-bit and 64-bit Drivers for a Printer to a Client
To provide the driver for a printer for both 32-bit and 64-bit Windows clients, you must upload a driver with exactly the same name for both architectures. For example, if you are uploading the 32-bit driver named
Example PostScript and the 64-bit driver named Example PostScript (v1.0), the names do not match. Consequently, you can only assign one of the drivers to a printer and the driver will not be available for both architectures.
16.1.8.4.2. Enabling Users to Upload and Preconfigure Drivers
To be able to upload and preconfigure printer drivers, a user or a group needs to have the
SePrintOperatorPrivilege privilege granted. For example, to grant the privilege to the printadmin group:
~]# net rpc rights grant "printadmin" SePrintOperatorPrivilege \
-U "DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully granted rights.Note
In a domain environment, grant
SePrintOperatorPrivilege to a domain group. This enables you to centrally manage the privilege by updating a user's group membership.
To list all users and groups having
SePrintOperatorPrivilege granted:
~]# net rpc rights list privileges SePrintOperatorPrivilege \
-U "DOMAIN\administrator"
Enter administrator's password:
SePrintOperatorPrivilege:
BUILTIN\Administrators
DOMAIN\printadmin16.1.8.4.4. Creating a GPO to Enable Clients to Trust the Samba Print Server
For security reasons, recent Windows operating systems prevent clients from downloading non-package-aware printer drivers from an untrusted server. If your print server is a member in an AD, you can create a Group Policy Object (GPO) in your domain to trust the Samba server.
To create GPOs, the Windows computer you are using must have the Windows Remote Server Administration Tools (RSAT) installed. For details, see your Windows documentation.
Procedure 16.19. Creating a GPO to Enable Clients to Trust the Samba Print Server
- Log into a Windows computer using an account that is allowed to edit group policies, such as the AD domain
Administratoruser. - Open the Group Policy Management Console.
- Right-click to your AD domain and select Create a GPO in this domain, and Link it here
- Enter a name for the GPO, such as Legacy printer Driver Policy and click . The new GPO will be displayed under the domain entry.
- Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.
- Navigate to → → → .
- On the right side of the window, double-click Point and Print Restriction to edit the policy:
- Enable the policy and set the following options:
- Select Users can only point and print to these servers and enter the fully-qualified domain name (FQDN) of the Samba print server to the field next to this option.
- In both check boxes under Security Prompts, select Do not show warning or elevation prompt.
- Click .
- Double-click Package Point and Print - Approved servers to edit the policy:
- Enable the policy and click the button.
- Enter the FQDN of the Samba print server.
- Close both the Show Contents and policy properties window by clicking .
- Close the Group Policy Management Editor.
- Close the Group Policy Management Console.
After the Windows domain members applied the group policy, printer drivers are automatically downloaded from the Samba server when a user connects to a printer.
For further details about using group policies, see your Windows documentation.
16.1.8.4.5. Uploading Drivers and Preconfiguring Printers
Use the Print Management application on a Windows client to upload drivers and preconfigure printers hosted on the Samba print server. For further details, see your Windows documentation.
16.1.9. Tuning the Performance of a Samba Server [7]
This section describes what settings can improve the performance of Samba in certain situations, and which settings can have a negative performance impact.
16.1.9.1. Setting the SMB Protocol Version
Each new SMB version adds features and improves the performance of the protocol. The recent Windows and Windows Server operating systems always supports the latest protocol version. If Samba also uses the latest protocol version, Windows clients connecting to Samba benefit from the performance improvements. In Samba, the default value of the
server max protocol is set to the latest supported stable SMB protocol version.
To always have the latest stable SMB protocol version enabled, do not set the
server max protocol parameter. If you set the parameter manually, you will need to modify the setting with each new version of the SMB protocol, to have the latest protocol version enabled.
To unset, remove the
server max protocol parameter from the [global] section in the /etc/samba/smb.conf file.
16.1.9.3. Settings That Can Have a Negative Performance Impact
By default, the kernel in Red Hat Enterprise Linux is tuned for high network performance. For example, the kernel uses an auto-tuning mechanism for buffer sizes. Setting the
socket options parameter in the /etc/samba/smb.conf file overrides these kernel settings. As a result, setting this parameter decreases the Samba network performance in most cases.
To use the optimized settings from the Kernel, remove the
socket options parameter from the [global] section in the /etc/samba/smb.conf.
16.1.10. Frequently Used Samba Command-line Utilities
This section describes frequently used commands when working with a Samba server.
16.1.10.1. Using the net Utility
The
net utility enables you to perform several administration tasks on a Samba server. This section describes the most frequently used subcommands of the net utility.
For further details, see the net(8) man page.
16.1.10.1.1. Using the net ads join and net rpc join Commands
Using the
join subcommand of the net utility, you can join Samba to an AD or NT4 domain. To join the domain, you must create the /etc/samba/smb.conf file manually, and optionally update additional configurations, such as PAM.
Important
Red Hat recommends using the
realm utility to join a domain. The realm utility automatically updates all involved configuration files. For details, see Section 16.1.5.1, “Joining a Domain”.
To join a domain using the
net command:
Procedure 16.21. Joining a Domain Using the net Command
- Manually create the
/etc/samba/smb.conffile with the following settings:- For an AD domain member:
[global] workgroup = domain_name security = ads passdb backend = tdbsam realm = AD_REALM
- For an NT4 domain member:
[global] workgroup = domain_name security = user passdb backend = tdbsam
- Add an ID mapping configuration for the
*default domain and for the domain you want to join to the[global]section in the/etc/samba/smb.conf. For details, see Section 16.1.5.3, “Understanding ID Mapping”. - Verify the
/etc/samba/smb.conffile:~]# testparm
- Join the domain as the domain administrator:
- To join an AD domain:
~]# net ads join -U "DOMAIN\administrator"
- To join an NT4 domain:
~]# net rpc join -U "DOMAIN\administrator"
- Append the
winbindsource to thepasswdandgroupdatabase entry in the/etc/nsswitch.conffile:passwd: files winbind group: files winbind
- Enable and start the
winbindservice:~]# systemctl enable winbind ~]# systemctl start winbind
- Optionally, configure PAM using the
authconfutility.For details, see the Using Pluggable Authentication Modules (PAM) section in the Red Hat System-Level Authentication Guide. - Optionally for AD environments, configure the Kerberos client.For details, see the Configuring a Kerberos Client section in the Red Hat System-Level Authentication Guide.
16.1.10.1.2. Using the net rpc rights Command
In Windows, you can assign privileges to accounts and groups to perform special operations, such as setting ACLs on a share or upload printer drivers. On a Samba server, you can use the
net rpc rights command to manage privileges.
Listing Privileges
To list all available privileges and their owners, use the
net rpc rights list command. For example:
net rpc rights list -U "DOMAIN\administrator"
Enter DOMAIN\administrator's password:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares
SeSecurityPrivilege System security
Granting Privileges
To grant a privilege to an account or group, use the
net rpc rights grant command.
For example, grant the
SePrintOperatorPrivilege privilege to the DOMAIN\printadmin group:
~]# net rpc rights grant "DOMAIN\printadmin" SePrintOperatorPrivilege \
-U "DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully granted rights.Revoking Privileges
To revoke a privilege from an account or group, use the
net rpc rights revoke.
For example, to revoke the
SePrintOperatorPrivilege privilege from the DOMAIN\printadmin group:
~]# net rpc rights remoke "DOMAIN\printadmin" SePrintOperatorPrivilege \
-U "DOMAIN\administrator"
Enter DOMAIN\administrator's password:
Successfully revoked rights.16.1.10.1.4. Using the net user Command
The
net user command enables you to perform the following actions on an AD DC or NT4 PDC:
- List all user accounts
- Add users
- Remove Users
Note
Specifying a connection method, such as
ads for AD domains or rpc for NT4 domains, is only required when you list domain user accounts. Other user-related subcommands can auto-detect the connection method.
Pass the
-U user_name parameter to the command to specify a user that is allowed to perform the requested action.
Listing Domain User Accounts
To list all users in an AD domain:
~]# net ads user -U "DOMAIN\administrator"
To list all users in an NT4 domain:
~]# net rpc user -U "DOMAIN\administrator"
Adding a User Account to the Domain
On a Samba domain member, you can use the
net user add command to add a user account to the domain.
For example, add the
user account to the domain:
Procedure 16.22. Adding a User Account to the Domain
- Add the account:
~]# net user add user password -U "DOMAIN\administrator" User user added
- Optionally, use the remote procedure call (RPC) shell to enable the account on the AD DC or NT4 PDC. For example:
~]# net rpc shell -U DOMAIN\administrator -S DC_or_PDC_name Talking to domain DOMAIN (S-1-5-21-1424831554-512457234-5642315751) net rpc> user edit disabled user no Set user's disabled flag from [yes] to [no] net rpc> exit
Deleting a User Account from the Domain
On a Samba domain member, you can use the
net user delete command to remove a user account from the domain.
For example, to remove the
user account from the domain:
~]# net user delete user -U "DOMAIN\administrator" User user deleted
16.1.10.2. Using the rpcclient Utility
The
rpcclient utility enables you to manually execute client-side Microsoft Remote Procedure Call (MS-RPC) functions on a local or remote SMB server. However, most of the features are integrated into separate utilities provided by Samba. Use rpcclient only for testing MS-PRC functions.
For example, you can use the utility to:
- Manage the printer Spool Subsystem (SPOOLSS).
Example 16.9. Assigning a Driver to a Printer
~]# rpcclient server_name -U "DOMAIN\administrator" \ -c 'setdriver "printer_name" "driver_name"' Enter DOMAIN\administrators password: Successfully set printer_name to driver driver_name. - Retrieve information about an SMB server.
Example 16.10. Listing all File Shares and Shared Printers
~]# rpcclient server_name -U "DOMAIN\administrator" -c 'netshareenum' Enter DOMAIN\administrators password: netname: Example_Share remark: path: C:\srv\samba\example_share\ password: netname: Example_Printer remark: path: C:\var\spool\samba\ password:
- Perform actions using the Security Account Manager Remote (SAMR) protocol.
Example 16.11. Listing Users on an SMB Server
~]# rpcclient server_name -U "DOMAIN\administrator" -c 'enumdomusers' Enter DOMAIN\administrators password: user:[user1] rid:[0x3e8] user:[user2] rid:[0x3e9]
If you run the command against a standalone server or a domain member, it lists the users in the local database. Running the command against an AD DC or NT4 PDC lists the domain users.
For a complete list of supported subcommands, see COMMANDS section in the rpcclient(1) man page.
16.1.10.3. Using the samba-regedit Application
Certain settings, such as printer configurations, are stored in the registry on the Samba server. You can use the ncurses-based
samba-regedit application to edit the registry of a Samba server.
To start the application, enter:
~]# samba-regedit
Use the following keys:
- Cursor up and cursor down: Navigate through the registry tree and the values.
- Enter: Opens a key or edits a value.
- Tab: Switches between the Key and Value pane.
- Ctrl+C: Closes the application.
16.1.10.4. Using the smbcacls Utility
16.1.10.5. Using the smbclient Utility
The
smbclient utility enables you to access file shares on an SMB server, similarly to a command-line FTP client. You can use it, for example, to upload and download files to and from a share.
For example, to authenticate to the
example share hosted on server using the DOMAIN\user account:
~]# smbclient -U "DOMAIN\user" //server/example Enter domain\user's password: Domain=[SERVER] OS=[Windows 6.1] Server=[Samba 4.6.2] smb: \>
After
smbclient connected successfully to the share, the utility enters the interactive mode and shows the following prompt:
smb: \>
To display all available commands in the interactive shell, enter:
smb: \> help
To display the help for a specific command, enter:
smb: \> help command_name
For further details and descriptions of the commands available in the interactive shell, see the smbclient(1) man page.
16.1.10.5.1. Using smbclient in Interactive Mode
If you use
smbclient without the -c parameter, the utility enters the interactive mode.
The following procedure shows how to connect to an SMB share and download a file from a subdirectory:
Procedure 16.23. Downloading a File from an SMB Share Using smbclient
- Connect to the share:
~]# smbclient -U "DOMAIN\user_name" //server_name/share_name
- Change into the
/example/directory:smb: \> cd /example/
- List the files in the directory:
smb: \example\> ls . D 0 Mon Sep 1 10:00:00 2017 .. D 0 Mon Sep 1 10:00:00 2017 example.txt N 1048576 Mon Sep 1 10:00:00 2017 9950208 blocks of size 1024. 8247144 blocks available - Download the
example.txtfile:smb: \example\> get example.txt getting file \directory\subdirectory\example.txt of size 1048576 as example.txt (511975,0 KiloBytes/sec) (average 170666,7 KiloBytes/sec)
- Disconnect from the share:
smb: \example\> exit
16.1.10.5.2. Using smbclient in Scripting Mode
If you pass the
-c commands parameter to smbclient, you can automatically execute the commands on the remote SMB share. This enables you to use smbclient in scripts.
The following command shows how to connect to an SMB share and download a file from a subdirectory:
~]# smbclient -U DOMAIN\user_name //server_name/share_name \
-c "cd /example/ ; get example.txt ; exit"16.1.10.6. Using the smbcontrol Utility
The
smbcontrol utility enables you to send command messages to the smbd, nmbd, winbindd, or all of these services. These control messages instruct the service, for example, to reload its configuration.
Example 16.12. Reloading the Configuration of the smbd, nmbd, and winbindd Service
For example, to reload the configuration of the
smbd, nmbd, winbindd, send the reload-config message-type to the all destination:
~]# smbcontrol all reload-config
For further details and a list of available command message types, see the smbcontrol(1) man page.
16.1.10.7. Using the smbpasswd Utility
The
smbpasswd utility manages user accounts and passwords in the local Samba database.
If you run the command as a user,
smbpasswd changes the Samba password of the user. For example:
[user@server ~]$ smbpasswd New SMB password: Retype new SMB password:
If you run
smbpasswd as the root user, you can use the utility, for example, to:
- Create a new user:
[root@server ~]# smbpasswd -a user_name New SMB password: Retype new SMB password: Added user user_name.
Note
Before you can add a user to the Samba database, you must create the account in the local operating system. See Section 4.3.1, “Adding a New User” - Enable a Samba user:
[root@server ~]# smbpasswd -e user_name Enabled user user_name.
- Disable a Samba user:
[root@server ~]# smbpasswd -x user_name Disabled user user_name.
- Delete a user:
[root@server ~]# smbpasswd -x user_name Deleted user user_name.
For further details, see the smbpasswd(8) man page.
16.1.10.8. Using the smbstatus Utility
The
smbstatus utility reports on:
- Connections per PID of each
smbddaemon to the Samba server. This report includes the user name, primary group, SMB protocol version, encryption, and signing information. - Connections per Samba share. This report includes the PID of the
smbddaemon, the IP of the connecting machine, the time stamp when the connection was established, encryption, and signing information. - A list of locked files. The report entries include further details, such as opportunistic lock (oplock) types
Example 16.13. Output of the smbstatus Utility
~]# smbstatus Samba version 4.6.2 PID Username Group Machine Protocol Version Encryption Signing ----------------------------------------------------------------------------------------------------------------------------- 963 DOMAIN\administrator DOMAIN\domain users client-pc (ipv4:192.0.2.1:57786) SMB3_02 - AES-128-CMAC Service pid Machine Connected at Encryption Signing: ------------------------------------------------------------------------------- example 969 192.0.2.1 Mo Sep 1 10:00:00 2017 CEST - AES-128-CMAC Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time ------------------------------------------------------------------------------------------------------------ 969 10000 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/example file.txt Mon Sep 1 10:00:00 2017
For further details, see the smbstatus(1) man page.
16.1.10.9. Using the smbtar Utility
The
smbtar utility backs up the content of an SMB share or a subdirectory of it and stores the content in a tar archive. Alternatively, you can write the content to a tape device.
For example, to back up the content of the
demo directory on the //server/example/ share and store the content in the /root/example.tar archive:
~]# smbtar -s server -x example -u user_name -p password -t /root/example.tar
For further details, see the smbtar(1) man page.
16.1.10.10. Using the testparm Utility
16.1.10.11. Using the wbinfo Utility
The
wbinfo utility queries and returns information created and used by the winbindd service.
Note
The
winbindd service must be configured and running to use wbinfo.
You can use
wbinfo, for example, to:
- List domain users:
~]# wbinfo -u AD\administrator AD\guest ...
- List domain groups:
~]# wbinfo -g AD\domain computers AD\domain admins AD\domain users ...
- Display the SID of a user:
~]# wbinfo --name-to-sid="AD\administrator" S-1-5-21-1762709870-351891212-3141221786-500 SID_USER (1)
- Display information about domains and trusts:
~]# wbinfo --trusted-domains --verbose Domain Name DNS Domain Trust Type Transitive In Out BUILTIN None Yes Yes Yes server None Yes Yes Yes DOMAIN1 domain1.example.com None Yes Yes Yes DOMAIN2 domain2.example.com External No Yes Yes
For further details, see the wbinfo(1) man page.
16.1.11. Additional Resources
- The Red Hat Samba packages include manual pages for all Samba commands and configuration files the package installs. For example, to display the man page of the
/etc/samba/smb.conffile that explains all configuration parameters you can set in this file:~]# man 5 smb.conf
/usr/share/docs/samba-version/: Contains general documentation, example scripts, and LDAP schema files, provided by the Samba project.- Red Hat Cluster Storage Administration Guide: Provides information about setting up Samba and the Clustered Trivial Database (CDTB) to share directories stored on an GlusterFS volume.
- The An active/active Samba Server in a Red Hat High Availability Cluster chapter in the Red Hat Enterprise Linux High Availability Add-on Administration guide describes how to up a Samba high-availability installation.
- For details about mounting an SMB share on Red Hat Enterprise Linux, see the corresponding section in the Red Hat Storage Administration Guide.
[2]
Parts of this section were adopted from the idmap config autorid documentation published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the Wiki page.
[5]
Parts of this section were adopted from the Setting up Samba as a Print Server documentation published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the Wiki page.
[6]
Parts of this section were adopted from the Setting up Automatic Printer Driver Downloads for Windows Clients documentation published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the Wiki page.
[7]
Parts of this section were adopted from the Performance Tuning documentation published in the Samba Wiki. License: CC BY 4.0. Authors and contributors: See the history tab on the Wiki page.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.