Using Samba

Using Samba

Robert Eckstein, David Collier-Brown, Peter Kelly
1st Edition November 1999
1-56592-449-5, Order Number: 4495
416 pages, $34.95

Buy the hardcopy

Table of Contents

Previous: D. Downloading Samba with CVS Appendix F  
 

F. Sample Configuration File

This appendix gives an example of a production smb.conf file and looks at how many of the options are used in practice. The following is a slightly disguised version of one we used at a corporation with five Linux servers, five Windows for Workgroups clients and three NT Workstation clients:


# smb.conf -- File Server System for: 1 Example.COM  BSC & Management Office 

[globals]

	workgroup = 1EG_BSC

	interfaces = 10.10.1.14/24

We provide this service on only one of the machine's interfaces. The interfaces option sets its address and netmask, where /24 is the same as using the netmask 255.255.255.0:


	comment = Samba ver. %v

	preexec = csh -c `echo /usr/samba/bin/smbclient \

                     -M %m -I %I` &

We use the preexec command to log information about all connections by machine name (%m) and IP address (%I):


	# smbstatus will output various info on current status

	status = yes

	browseable = yes

	printing = bsd



	# the username that will be used for access to services

	# specified with 'guest = ok'

	guest account = samba

The default guest account was nobody, uid -1, which produced log messages on one of our machines saying "your server is being unfriendly," so we created a specific Samba guest account for browsing and printing:


	# superuser account - admin privilages to shares, with no

	# restrictions

	# WARNING - use this with care: files can be modified,

	# regardless of file permissions

	admin users = root



	# who is NOT allowed to connect to ANY service

	invalid users = @wheel, mail, deamon, adt

Daemons can't use Samba, only people. The invalid users option closes a security hole; it prevents intruders from breaking in by pretending to be a daemon process.


	# hosts that are ALLOWED or DENIED from connecting to ANY service

	hosts allow = 10.10.1.

	hosts deny = 10.10.1.6

	

	# where the lock files will be located

	lock directory = /var/lock/samba/locks

		

	# debug log files 

	# %m = separate log for each NetBIOS name (each machine)

	log file = /var/log/samba/log.%m



	# We send priority 0, 1 and 2 messages to the system logs

	syslog = 2

		

	# If a WinPopup message is sent to the server,

	# redirect it to a user via e-mail

	

	message command = /bin/mail -s 'message from #% on %m' \

						 pkelly < %s; rm %s



# ---------------------------------------------------

# [globals] Performance Tuning

# ---------------------------------------------------

	

	# caching algorithm to reduce time doing getwd() calls.  

	getwd cache = yes



	socket options = TCP_NODELAY



	# tell the server whether the client is present and

	# responding in seconds

	keep alive = 60



	# num minutes of inactivity before a connection is

	# considered dead

	dead time = 30 



	read prediction = yes

	share modes = yes

	max xmit = 17384 

	read size = 512

The share modes, max, xinit, and read size options are machine-specific (see Appendix B, Samba Performance Tuning): 


	# locking is done by the server

	locking = yes



	# control whether dos style attributes should be mapped

	# to unix execute bits

	map hidden = yes

	map archive = yes

	map system = yes

The three map options will work only on shares with a create mode that includes the execute bits (0111). Our homes and printers shares won't honor them, but the [www] share will:


# ---------------------------------------------------------

# [globals] Security and Domain Logon Services

# ---------------------------------------------------------	

# connections are made with UID and GID, not as shares

	security = user



# boolean variable that controls whether passwords

# will be encrypted

	encrypt passwords = yes

	passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"

	passwd program = /usr/bin/passwd %u

	

# Always become the local master browser

	domain master = yes

	preferred master = yes

	os level = 34

	

# For domain logons to work correctly. Samba acts as a

# primary domain controller.

	domain logons = yes

	

# Logon script to run for user off the server each time

# username (%U) logs in.  Set the time, connect to shares,

# virus checks, etc.

	logon script = scripts\%U.bat



[netlogon]

	comment = "Domain Logon Services"

	path = /u/netlogon

	writable = yes

	create mode = 444

	guest ok = no

	volume = "Network"

This share, discussed in Chapter 6, Users, Security, and Domains, is required for Samba to work smoothly in a Windows NT domain:


# -----------------------------------------------------------

# [homes] User Home Directories

# -----------------------------------------------------------

[homes]

	comment = "Home Directory for : %u "

	path = /u/users/%u

The password file of the Samba server specifies each person's home directory as /home/machine_name/person, which NFS converts to point to the actual physicl location under /u/users. The path option in the [homes] share tells Samba the actual (non-NFS) location:


	guest ok = no

	read only = no

	create mode = 644

	writable = yes

	browseable = no 



# -----------------------------------------------------------

# [printers] System Printers

# -----------------------------------------------------------

[printers]

	comment = "Printers"

	path = /var/spool/lpd/samba

	printcap name = /etc/printcap

	printable = yes

	public = no 

	writable = no



	lpq command = /usr/bin/lpq -P%p

	lprm command = /usr/bin/lprm -P%p %j

	lppause command = /usr/sbin/lpc stop %p

	lpresume command = /usr/sbin/lpc start %p



	create mode = 0700



	browseable = no 

	load printers = yes  



# -----------------------------------------------------------

# Specific Descriptions: [programs] [data] [retail]

# -----------------------------------------------------------

[programs]

	comment = "Shared Programs %T"

	volume = "programs"

Shared Programs shows up in the Network Neighborhood, and programs is the volume name you specify when an installation program wants to know the label of the CD-ROM from which it thinks it's loading:


	path = /u/programs

	public = yes

	writeable = yes

	printable = no

	create mode = 664

[cdrom]

	comment = "Unix CDROM"

	path = /u/cdrom

	public = no 

	writeable = no 

	printable = no

	volume = "cdrom"



[data]

	comment =  "Data Directories %T"

	path = /u/data

	public = no

	create mode = 770

	writeable = yes

	volume = "data"



[nt4]

	comment =  "NT4 Server"

	path = /u/systems/nt4

	public = yes 

	create mode = 770

	writeable = yes

	volume = "nt4_server"



[www]

	comment =  "WWW System"

	path = /usr/www/http

	public = yes 

	create mode = 775

	writeable = yes

	volume = "www_system"

The [www] share is the directory used on the Unix server to serve web pages. Samba makes the directory available to local PC users so the art department can update web pages.

Previous: D. Downloading Samba with CVS  
D. Downloading Samba with CVS Book Index  
O'Reilly Home | O'Reilly Bookstores | How to Order | O'Reilly Contacts
 International | About O'Reilly | Affiliated Companies

© 1999, O'Reilly & Associates, Inc.


Banner.Novgorod.Ru