Samba

From SlackWiki
Jump to navigation Jump to search

... this is a W.I.P ... will write more the next days, hope this is ok :)

comments, suggestions, etc. are welcome!

Introduction

This Tutorial shows you how to configure Samba 3.0.x on Slackware 12.x.

It should later act as simple and secure as it can be in a heterogen network with Windows systems (a workstation with admin access, guest accounts for the rest [eg. your friends]), a media streaming client (eg. Xbox) and Linux / *nix (Solaris / Mac OS X).

I wanted to have all necessary parameters for home usage in my smb.conf so i can easily change them and have a mostly secure and stable system. Printing is disabled by default in my config, since i have no need to attach my printer to the server (the printer has its own print server: HP P2015). Also i really have no clue how to use a printer with linux. If someone wants to write something on printing then feel free to do so...

Upgrade / Build Samba

If you are here you probably will know what Samba is good for and how it works. Normally Samba is installed on your system and ready for action and doesn't need to be upgraded.

Upgrade Samba

All upgrades to Samba should be done via the patches directory on your favorite mirror. You should NOT NOT NOT mix -current packages with a non "-current" Slackware.

Building Samba

Hey! Wanna build Samba? Get the source, get the slackbuild, make a package and install it!

I used the latest build from the 3.0.x fork since this comes with Slackware 12.x.

You can also try building Samba 3.2.x. If you want a optimized build with a better performance that suits your system, you should consider installing GCC >4.2.4 since it supports better optimizing functions (-march=native - specifying -march=native implies -mtune=native. This will enable all instruction subsets supported by the local machine (hence the result might not run on different machines).) and use Samba 3.2.x cause it has a better overall performance. Only do this if you know what you are doing!

  • Get the source + SlackBuild, edit it and build the package...
$ mkdir /tmp/samba
$ cd /tmp/samba
$ wget http://us3.samba.org/samba/ftp/stable/samba-3.0.31.tar.gz
  ...
$ wget -r -nH ftp://slackware.osuosl.org/pub/slackware/slackware-current/source/n/samba
$ jed samba.SlackBuild
  >  VERSION=3.0.30
  >> VERSION=3.0.31

  >  tar xjvf $CWD/samba-$VERSION.tar.bz2
  >> tar xfvz $CWD/samba-$VERSION.tar.gz
$ chmod +x samba.SlackBuild
$ ./samba.SlackBuild
$ upgradepkg /tmp/samba-3.0.31-i486-1.tgz

Configure Samba

There are a few requirments i had for this config.

  • Guest access from Windows without the need for a password
  • Guests are only allowed to read and have no home directory (eg. /home/guest)
  • Guests are only allowed to put new files in a given directory
  • Make everything secure as it can get with this config
  • Users on the system have access to their home directory
  • No Printing at all
  • Disable NetBios, we only have Windows XP or higher / *nix
  • Maybe more?

/etc/samba/smb.conf

This is my own smb.conf as i use it on my system.

The config file itself should be selfexplaining.

smb.conf /w comments

#smb.conf - v1.1
#
# Samba-3.0.30 - Slackware 12.x
# e.v.o ( e.v.o [A-T] gmx.net )
#
# ; COMMENT
# #PARAMETER ( name = default value )
# Normally every parameter should have its default value.
# If the parameter is commented out then it is the default value,
# otherwise you should have a look at "man smb.conf"
#
# This config is based on the smb.conf manual page
# and "Using Samba, 3rd Edition" from O'Reilly
#

# VARIABLE SUBSTITUTIONS
; %U	session username
; %G	primary group name of %U
; %h	the Internet hostname that Samba is running on
; %m	the NetBIOS name of the client machine (very useful)
; %L	the NetBIOS name of the server
; %M	the Internet name of the client machine
; %R	the selected protocol level after protocol negotiation
; %d	the process id of the current server process
; %a	the architecture of the remote machine
; %I	the IP address of the client machine
; %i	the local IP address to which a client connected
; %T	the current date and time
; %D	name of the domain or workgroup of the current user
; %w	the winbind separator
; %v	Samba version number
;
; The following substitutes apply only to some configuration options
; Only those that are used when a connection has been established
;
; %S	the name of the current service, if any
; %P	the root directory of the current service, if any
; %u	username of the current service, if any
; %g	primary group name of %u
; %H	the home directory of the user given by %u
; %N	the name of your NIS home directory server
; %p	the path of the service's home directory

[global]
; Parameters in this section apply to the server as a whole

; ###  USERSHARES  ### # Capability for non-root users to 
; ==================== # add/modify/delete own share definitions 
;
; Controls if usershares can permit guest access
#usershare allow guests      =
; Maximum number of user defined shares allowed
#usershare max shares        =
; If set only directories owned by the sharing user can be shared
#usershare owner only        =
; Directory containing the user defined share definitions
#usershare path              =
; Comma-separated list restricting what directories can be shared
#usershare prefix allow list =
; Comma-separated list restricting what directories can be shared
#usershare prefix deny list  =
; Pre-existing share used as a template for creating new usershares
#usershare template share    =

; ###  NAME MANGLING  ### # By default, Samba has the same
; ======================= # semantics as a Windows NT server
;
; Filenames are case sensitive
#case sensitive      = auto
; Default case for new filenames
#default case        = lower
; New files are created with the case that the client passes
#preserve case       = yes
; New files which conform to 8.3 syntax are created upper case
#short preserve case = yes

; ###  PRINTING  ###
; ==================
;
; All printers in the printcap will be loaded for browsing by default
load printers           = no
; Only applicable if printing is set to cups.
#cups server            = ""
; Show the "Add Printer Wizard" Dialog
show add printer wizard = no
; Yes = open, write to and submit spool files on the specified directory
printable               = no

; ===============================
; #   -   S E T T I N G S   -   #
; ===============================

; \-= USER SCRIPTS =-/    # These scripts are used on a PDC or stand-alone 
; ====================    # machine to add or delete corresponding unix accounts

; Script that will be run when a new group is requested
#add group script               = /usr/sbin/groupadd %g
; Script that will be run when a machine is added to Samba's domain
#add machine script             = /usr/sbin/adduser -s /bin/false -d /dev/null %u -n -g machines -c Machine 
; Script which will add a new service definition to smb.conf
#add share command              =
; Script which will add a new user
#add user script                = /usr/sbin/useradd -m %u
; Script that will be called when a user is added to a group
#add user to group script       = /usr/sbin/usermod -G %g %u
; Script which will modify an existing service definition in smb.conf
#change share command           =
; Script when a group is requested to be deleted
#delete group script            = /usr/sbin/groupdel %g
; Script when a user is removed from a group using the Windows NT domain administration tools
#delete user from group script  = /usr/sbin/deluser %u %g
; Script that will be run when managing users with remote RPC (NT) tools
#delete user script             = /usr/sbin/userdel -r %u
; Script that will be run under special circumstances
#rename user script             = no
; This script sets the primary group in the unix userdatase when an administrator sets the 
; primary group from the windows user manager or when fetching a SAM with net rpc vampire
#set primary group script       = /usr/sbin/usermod -g '%g' '%u'
; Program that can be used to set UNIX user passwords
#passwd program = /usr/bin/passwd %u
; Controls the "chat" conversation between smbd and the local password changing program
#passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"

; \-= PERMISSION MASKS =-/
; ========================

#inherit owner                 = no
#inherit permissions           = no

#directory mask                = 0755
#directory security mask       = 0777
#force create mode             = 000
#force directory mode          = 000
#force directory security mode = 0
#force security mode           = 0
#security mask                 = 0777

; \-= USER PARAMETER =-/
; ======================

; List of users who will be granted administrative privileges on the share
admin users     = evo
; This is a list of users that should be allowed to login to this service
valid users     = evo guest
; This is a list of users that should not be allowed to login to this service
invalid users   = root nobody ftp adm apache bin daemon games gdm haldaemon halt lp mail messagebus mysql news operator pop rpc shutdown smmsp sshd sync uucp
; This is a list of users that are given read-only access to a service
read list       = evo guest
; This is a list of users that are given read-write access to a service
write list      = evo

; -= Guest Settings =-
; Username which will be used for access to services which are specified as guest ok
guest account   = guest
; Yes for a service, then no password is required to connect to the service
guest ok        = no
; Yes for a service, then only guest connections to the service are permitted
guest only      = no

; -= Forced User/Group Settings =-
; UNIX user name that will be assigned as the default user for all users
;force user = guest
; UNIX group name that will be assigned as the default primary group for all users
force group = users

; -= Map Settings =-
; Specify a file containing a mapping of usernames from the clients to the server
#username map = 
;
#map acl inherit  = no
#map archive      = yes
#map hidden       = 
#map read only    = yes
#map system       = no
map to guest     = Bad User

; \-= SHARE PARAMETER =-/
; =======================

; Lets you "turn off" a service. If available = no, then ALL attempts to connect to the service will fail
available       = yes
; Controls whether this share is seen in the list of available shares in a net view and in the browse list
browseable      = yes
; Allow or disallow client access to accounts that have null passwords 
#null password  = no
; If this parameter is yes, then users of a service may not create or modify files in the service's directory
read only       = yes
; Setting this parameter to no prevents any file or directory that is a symbolic link from being followed
follow symlinks = no
; This parameter controls whether or not links in the UNIX file system may be followed by the server
wide links      = no

; This parameter specifies the name of a service which will be connected to if the service actually requested cannot be found
#default service = 
; This parameter allows you to specify a comma-delimited list of directories that the server should always show as empty
dont descend     = /bin,/boot,/dev,/etc,/lib,/opt,/proc,/sbin,/srv,/sys,/tmp,/usr,/var

; -= Hide Files =-
; This is a boolean parameter that controls whether files starting with a dot appear as hidden files
#hide dot files         = yes
; This is a list of files or directories that are not visible but are accessible
#hide files             = 
; This parameter prevents clients from seeing special files such as sockets, devices and fifo's in directory listings
#hide special files     = no
; This parameter prevents clients from seeing the existance of files that cannot be read
#hide unreadable        = no
; This parameter prevents clients from seeing the existance of files that cannot be written to
#hide unwriteable files = no

; \-= WINDOWS PARAMETER =-/
; =========================

; Specifies the charset that samba will use to print messages to stdout and stderr
#display charset = "LOCALE" or "ASCII" (depending on the system)
; This option specifies which charset Samba should talk to DOS clients
#dos charset = # No default
; Enabling this parameter allows a user who has write access to the file (by whatever means) to modify the permissions
#dos filemode = no

; \-= NETWORK/CONNECTION PARAMETER =-/
; ====================================

; This controls what workgroup your server will appear to be in when queried by clients
workgroup = KlingKlang
; This controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view
server string = FileDealer
; This sets the NetBIOS name by which a Samba server is known
netbios name = FileDealer
#netbios aliases = 

; -= Interface Settings =-
; This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service
hosts allow = 127.0.0.1 192.168.
hosts deny  = ALL

; -= Connection Options =-
; Represents the number of minutes of inactivity before a connection is considered dead and disconnected
#deadtime        = 0 
; The value of the parameter (an integer) represents the number of seconds between keepalive packets
#keepalive       = 300
; This option allows the number of simultaneous connections to a service
#max connections = 0
; This option allows you to set socket options to be used when talking with the client
socket options   = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536

; \-= OTHER PARAMETER =-/
; =======================

security = user

; Enabling this parameter will disable netbios support in Samba
disable netbios = yes
; Do a lookup with the DNS server
dns proxy = no

; -= SMBpasswd Settings =-
; This option allows the administrator to chose which backend will be used for storing user and possibly group information
#passdb backend = smbpasswd:/etc/samba/private/smbpasswd
; This option sets the path to the encrypted smbpasswd file
#smb passwd file = /etc/samba/private/smbpasswd

; -= Directory Settings =-
; This option specifies the directory where lock files will be placed
#lock directory = /var/lock
; This parameters defines the directory smbd will use for storing such files as smbpasswd and secrets.tdb
#private dir = /etc/samba/private

; -= Logging Settings =-
; This option allows you to override the name of the Samba log file
log file = /var/log/samba/samba.%m
; This option (an integer in kilobytes) specifies the max size the log file should grow to
max log size = 5000
; Parameter maps how Samba debug messages are logged onto the system
#syslog = 1
; Parameter is set then Samba debug messages are logged into the system syslog only
#syslog only = no

; Using the following line enables you to customise your configuration on a per machine
; basis. The %m gets replaced with the netbios name of the machine that is connecting.
; Note: Consider carefully the location in the configuration file of
;       this line.  The included file is read at that point.
#include = /etc/samba/smb.conf.%m

; ===========================
; #   -   S H A R E S   -   #
; ===========================

[homes]
comment    = Eigene Dateien

guest ok   = yes
read only  = no
browseable = no

[printers]
comment    = Drucker
path       = /var/spool/samba

browseable = no
available  = no
guest ok   = no
printable  = yes

[BitHalde]
comment   = 3TB
path      = /mnt/raid

guest ok  = yes
read only = yes

smb.conf w/o comments

[global]
        workgroup = KLINGKLANG
        server string = FileDealer
        map to guest = Bad User
        guest account = guest
        log file = /var/log/samba/samba.%m
        disable netbios = Yes
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
        load printers = No
        show add printer wizard = No
        dns proxy = No
        invalid users = root, nobody, ftp, adm, apache, bin, daemon, games, gdm, haldaemon, halt, lp, mail, messagebus, mysql, news, operator, pop, rpc, shutdown, smmsp, sshd, sync, uucp
        valid users = evo, guest
        admin users = evo
        read list = evo, guest
        write list = evo
        force group = users
        hosts allow = 127.0.0.1, 192.168.
        hosts deny = ALL
        wide links = No
        follow symlinks = No
        dont descend = /bin,/boot,/dev,/etc,/lib,/opt,/proc,/sbin,/srv,/sys,/tmp,/usr,/var

[homes]
        comment = Eigene Dateien
        read only = No
        guest ok = Yes
        browseable = No

[printers]
        comment = Drucker
        path = /var/spool/samba
        printable = Yes
        browseable = No
        available = No

[BitHalde]
        comment = 3TB
        path = /mnt/raid
        guest ok = Yes

Using Samba

In this section we will have a look on how to restart, stop, and start the samba server.

Starting and Stopping Samba

In Slackware, the script /etc/rc.d/rc.samba controls the state of the samba server. Below are the three commands you can use (as root).

To restart samba use: /etc/rc.d/rc.samba restart

To stop samba use: /etc/rc.d/rc.samba stop

To start samba from a stopped state use: /etc/rc.d/rc.samba start

The rc.samba script described above is merely a convenient wrapper for the /usr/sbin/smbd and /usr/sbin/nmdb commands. For example, you could also start the samba server by using these two commands together:

#/usr/sbin/smbd -D
#/usr/sbin/nmbd -D

See the man pages for smbd and nmbd for details.

Testing and Troubleshooting

In this section we will have a look on how we test our configuration and what to do if we ran into problems.

Using testparm

testparm — check an smb.conf configuration file for internal correctness

  • If your done with the setup of your smb.conf you should run testparm. Do this by simply typing it ;)
$ testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
NOTE: Service printers is flagged unavailable.
Processing section "[BitHalde]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
Normally this is what the output should look like. By pressing enter you will get a list of all used parameters in smb.conf.
  • If you wish to have a complete list of all options and how they are set:
$ testparm -v

Using smbclient

smbclient — ftp-like client to access SMB/CIFS resources on servers

  • Connecting as a guest and list all shares
$ smbclient -L localhost -N
Domain=[FILEDEALER] OS=[Unix] Server=[Samba 3.0.30]

        Sharename       Type      Comment
        ---------       ----      -------
        BitHalde        Disk      3TB
        IPC$            IPC       IPC Service (FileDealer)
Domain=[FILEDEALER] OS=[Unix] Server=[Samba 3.0.30]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        KLINGKLANG           FILEDEALER

-L host This option allows you to look at what services are available on a server.
-N Suppresses the normal password prompt. Useful when accessing a service that does not require a password.

  • Connecting with a specified username and list all shares
$ smbclient -L localhost -U evo
Password:
Domain=[FILEDEALER] OS=[Unix] Server=[Samba 3.0.30]

        Sharename       Type      Comment
        ---------       ----      -------
        BitHalde        Disk      3TB
        IPC$            IPC       IPC Service (FileDealer)
        evo             Disk      Eigene Dateien
Domain=[FILEDEALER] OS=[Unix] Server=[Samba 3.0.30]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        KLINGKLANG           FILEDEALER

-U Sets the SMB username or username and password.

To Do

  • alle user eintragen (cat /etc/passwd | cut -d':' -f1 | sort)
  • user scripte vervollständigen
  • masken richten + upload beim gast/evo gehört root? warum das?
  • was ist mit umlauten?
  • --> wie starten? rc.samba
  • Testmethoden aus dem samba buch einfügen