Содержание
Аннотация
Using Samba, a Unix machine can be configured as a file and print server for Mac OS X, Windows, and OS/2 machines. Samba has developed into a fully-fledged and rather complex product. Configure Samba with YaST, SWAT (a Web interface), or by editing the configuration file manually.
The following are some terms used in Samba documentation and in the YaST module.
Samba uses the SMB (server message block) protocol that is based on the NetBIOS services. Microsoft released the protocol so other software manufacturers could establish connections to a Microsoft domain network. With Samba, the SMB protocol works on top of the TCP/IP protocol, so the TCP/IP protocol must be installed on all clients.
CIFS (common Internet file system) protocol is another protocol supported by Samba. CIFS defines a standard remote file system access protocol for use over the network, enabling groups of users to work together and share documents across the network.
NetBIOS is a software interface (API) designed for communication between machines providing a name service. It enables machines connected to the network to reserve names for themselves. After reservation, these machines can be addressed by name. There is no central process that checks names. Any machine on the network can reserve as many names as it wants as long as the names are not already in use. The NetBIOS interface can be implemented for different network architectures. An implementation that works relatively closely with network hardware is called NetBEUI, but this is often referred to as NetBIOS. Network protocols implemented with NetBIOS are IPX from Novell (NetBIOS via TCP/IP) and TCP/IP.
The NetBIOS names sent via TCP/IP have nothing in common with the
names used in /etc/hosts
or those defined by DNS.
NetBIOS uses its own, completely independent naming convention.
However, it is recommended to use names that correspond to DNS
hostnames to make administration easier or use DNS natively. This is
the default used by Samba.
Samba server provides SMB/CIFS services and NetBIOS over IP naming services to clients. For Linux, there are three daemons for Samba server: smbd for SMB/CIFS services, nmbd for naming services, and winbind for authentication.
The Samba client is a system that uses Samba services from a Samba server over the SMB protocol. All common operating systems, such as Mac OS X, Windows, and OS/2, support the SMB protocol. The TCP/IP protocol must be installed on all computers. Samba provides a client for the different UNIX flavors. For Linux, there is a kernel module for SMB that allows the integration of SMB resources on the Linux system level. You do not need to run any daemon for the Samba client.
SMB servers provide resources to the clients by means of shares. Shares are printers and directories with their subdirectories on the server. It is exported by means of a name and can be accessed by its name. The share name can be set to any name—it does not have to be the name of the export directory. A printer is also assigned a name. Clients can access the printer by its name.
A domain controller (DC) is a server that handles accounts in domain. For data replication, additional domain controllers are available in one domain.
To install a Samba server, start YaST and select
+ . Choose + and select . Confirm the installation of the required packages to finish the installation process.You can start or stop the Samba server automatically (during boot) or manually. Starting and stopping policy is a part of the YaST Samba server configuration described in Раздел 15.4.1, «Configuring a Samba Server with YaST».
To stop or start running Samba services with YaST, use rcsmb stop && rcnmb stop and start them with rcnmb start && rcsmb start; rcsmb cares about winbind if needed.
+ and check winbind, smb, and nmb. From a command line, stop services required for Samba withA Samba server in openSUSE® can be configured in two different ways: with YaST or manually. Manual configuration offers a higher level of detail, but lacks the convenience of the YaST GUI.
To configure a Samba server, start YaST and select
+ .When starting the module for the first time, the
dialog starts, prompting you to make just a few basic decisions concerning administration of the server. At the end of the configuration it prompts for the Samba administrator password ( . For later starts, the dialog appears.The
dialog consists of two steps and optional detailed settings:Select an existing name from
or enter a new one and click .In the next step, specify whether your server should act as a primary domain controller (PDC), backup domain controller (BDC), or not to act as a domain controller at all. Continue with
.Select whether you want to start Samba
or and click . Then in the final pop-up box, set the .You can change all settings later in the
dialog with the , , , , and tabs.During the first start of the Samba server module the Раздел 15.4.1.1, «Initial Samba Configuration». Use it to adjust your Samba server configuration.
dialog appears directly after the two initial steps described inAfter editing your configuration, click
to save your settings.In the Раздел 15.3, «Starting and Stopping Samba».
tab, configure the start of the Samba server. To start the service every time your system boots, select . To activate manual start, choose . More information about starting a Samba server is provided inIn this tab, you can also open ports in your firewall. To do so, select
. If you have multiple network interfaces, select the network interface for Samba services by clicking , selecting the interfaces, and clicking .In the
tab, determine the Samba shares to activate. There are some predefined shares, like homes and printers. Use to switch between and . Click to add new shares and to delete the selected share.
users
for a local scope or
DOMAIN\Users
for a domain scope. The user
also must make sure that the file system permissions allow access.
With , limit the total
amount of shares that may be created. To permit access to user shares
without authentication, enable .
In the
tab, you can determine the domain with which the host is associated ( ) and whether to use an alternative hostname in the network ( ). It is also possible to use Microsoft Windows Internet Name Service (WINS) for name resolution. In this case, activate and decide whether to . To set expert global settings or set a user authentication source, click .To enable users from other domains to access your domain, make the appropriate settings in the
tab. To add a new domain, click . To remove the selected domain, click .In the tab
, you can determine the LDAP server to use for authentication. To test the connection to your LDAP server, click . To set expert LDAP settings or use default values, click .For more information about LDAP configuration, see Глава 4, LDAP — Сервис директорий (↑Руководство по безопасности).
An alternative tool for Samba server administration is SWAT
(Samba Web Administration Tool). It provides a simple Web interface with
which to configure the Samba server. To use SWAT, open
http://localhost:901 in a Web browser and log in as user
root
. If you do not have a
special Samba root account, use the system
root
account.
Activating SWAT | |
---|---|
After Samba server installation, SWAT is not activated. To activate it, open + in YaST, enable the network services configuration, select from the table, and click . |
If you intend to use Samba as a server, install
samba
. The main
configuration file of Samba is /etc/samba/smb.conf
.
This file can be divided into two logical parts. The
[global]
section contains the central and global
settings. The [share]
sections contain the individual
file and printer shares. By means of this approach, details regarding
the shares can be set differently or globally in the
[global]
section, which enhances the structural
transparency of the configuration file.
The following parameters of the [global]
section
need some adjustment to match the requirements of your network setup so
other machines can access your Samba server via SMB in a Windows
environment.
workgroup = TUX-NET
This line assigns the Samba server to a workgroup. Replace
TUX-NET
with an appropriate workgroup of your
networking environment. Your Samba server appears under its DNS name
unless this name has been assigned to some other machine in the
network. If the DNS name is not available, set the server name using
netbiosname=
.
For more details about this parameter, see the
MYNAME
smb.conf
man page.
os level = 20
This parameter triggers whether your Samba server tries to become
LMB (local master browser) for its workgroup. With the Samba 3
release series, it is seldom necessary to override the default
setting (20
). Choose a very low value such as
2
to spare the existing Windows network from any
disturbances caused by a misconfigured Samba server. More
information about this important topic can be found in the Network
Browsing chapter of the Samba 3 Howto; for more information on the
Samba 3 Howto, see Раздел 15.7, «For More Information».
If no other SMB server is present in your network (such as a Windows
2000 server) and you want the Samba server to keep a list of all
systems present in the local environment, set the os
level
to a higher value (for example,
65
). Your Samba server is then chosen as LMB for
your local network.
When changing this setting, consider carefully how this could affect an existing Windows network environment. First test the changes in an isolated network or at a noncritical time of day.
wins support
and wins server
To integrate your Samba server into an existing Windows network with
an active WINS server, enable the wins server
option and set its value to the IP address of that WINS server.
If your Windows machines are connected to separate subnets and need
to still be aware of each other, you need to set up a WINS server.
To turn a Samba server into such a WINS server, set the option
wins support = Yes
. Make sure that only one Samba
server of the network has this setting enabled. The options
wins server
and wins support
must never be enabled at the same time in your
smb.conf
file.
The following examples illustrate how a CD-ROM drive and the user
directories (homes
) are made available to the SMB
clients.
To avoid having the CD-ROM drive accidentally made available, these lines are deactivated with comment marks (semicolons in this case). Remove the semicolons in the first column to share the CD-ROM drive with Samba.
Пример 15.1. A CD-ROM Share (deactivated)¶
;[cdrom] ; comment = Linux CD-ROM ; path = /media/cdrom ; locking = No
[cdrom]
and comment
The [cdrom]
section entry is the name of the
share that can be seen by all SMB clients on the network. An
additional comment
can be added to further
describe the share.
path = /media/cdrom
path
exports the directory
/media/cdrom
.
By means of a very restrictive default configuration, this kind of
share is only made available to the users present on this system. If
this share should be made available to everybody, add a line
guest ok = yes
to the configuration. This setting
gives read permissions to anyone on the network. It is recommended
to handle this parameter with great care. This applies even more to
the use of this parameter in the [global]
section.
[homes]
The [homes]
share is of special importance here. If
the user has a valid account and password for the Linux file server
and his own home directory, he can be connected to it.
Пример 15.2. [homes] Share¶
[homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0640 directory mask = 0750
As long as there is no other share using the share name of the
user connecting to the SMB server, a share is dynamically
generated using the [homes]
share directives.
The resulting name of the share is the username.
valid users = %S
%S
is replaced with the concrete name of the
share as soon as a connection has been successfully established.
For a [homes]
share, this is always the
username. As a consequence, access rights to a user's share are
restricted exclusively to that user.
browseable = No
This setting makes the share invisible in the network environment.
read only = No
By default, Samba prohibits write access to any exported share by
means of the read only = Yes
parameter. To
make a share writable, set the value read only =
No
, which is synonymous with writable =
Yes
.
create mask = 0640
Systems that are not based on MS Windows NT do not understand the
concept of UNIX permissions, so they cannot assign permissions
when creating a file. The parameter create
mask
defines the access permissions assigned to newly
created files. This only applies to writable shares. In effect,
this setting means the owner has read and write permissions and
the members of the owner's primary group have read permissions.
valid users = %S
prevents read access even if
the group has read permissions. For the group to have read or
write access, deactivate the line valid users =
%S
.
To improve security, each share access can be protected with a password. SMB offers the following ways of checking permissions:
security = share
)A password is firmly assigned to a share. Everyone who knows this password has access to that share.
security = user
)This variant introduces the concept of the user to SMB. Each user must register with the server with his or her own password. After registration, the server can grant access to individual exported shares dependent on usernames.
security = server
)
To its clients, Samba pretends to be working in user level mode.
However, it passes all password queries to another user level mode
server, which takes care of authentication. This setting requires
the additional password server
parameter.
security = ADS
)In this mode, Samba will act as a domain member in an Active Directory environment. To operate in this mode, the machine running Samba needs Kerberos installed and configured. You must join the machine using Samba to the ADS realm. This can be done using the YaST
module.security = domain
)
This mode will only work correctly if the machine has been joined
into a Windows NT Domain. Samba will try to validate username and
password by passing it to a Windows NT Primary or Backup Domain
Controller. The same way as a Windows NT Server would do. It expects
the encrypted passwords parameter to be set to
yes
.
The selection of share, user, server, or domain level security applies to the entire server. It is not possible to offer individual shares of a server configuration with share level security and others with user level security. However, you can run a separate Samba server for each configured IP address on a system.
More information about this subject can be found in the Samba 3 HOWTO.
For multiple servers on one system, pay attention to the options
interfaces
and bind interfaces only
.
Clients can only access the Samba server via TCP/IP. NetBEUI and NetBIOS via IPX cannot be used with Samba.
Configure a Samba client to access resources (files or printers) on the Samba or Windows server. Enter the NT or Active Directory domain or workgroup in the dialog
+ . If you activate , the user authentication runs over the Samba, NT or Kerberos server.
Click pam_mount
man page.
After completing all settings, confirm the dialog to finish the configuration.
In networks where predominantly Windows clients are found, it is often
preferable that users may only register with a valid account and
password. In a Windows-based network, this task is handled by a primary
domain controller (PDC). You can use a Windows NT server configured as
PDC, but this task can also be done with a Samba server. The entries that
must be made in the [global]
section of
smb.conf
are shown in
Пример 15.3, «Global Section in smb.conf».
Пример 15.3. Global Section in smb.conf¶
[global] workgroup = TUX-NET domain logons = Yes domain master = Yes
If encrypted passwords are used for verification purposes the Samba
server must be able to handle these. The entry encrypt passwords
= yes
in the [global]
section enables this
(with Samba version 3, this is now the default). In addition, it is
necessary to prepare user accounts and passwords in an encryption format
that conforms with Windows. Do this with the command smbpasswd
-a name
. Create the domain account for the
computers, required by the Windows domain concept, with the following
commands:
useradd hostname\$ smbpasswd -a -m hostname
With the useradd command, a dollar sign is added. The
command smbpasswd inserts this automatically when the
parameter -m
is used. The commented configuration
example
(/usr/share/doc/packages/samba/examples/smb.conf.SUSE
)
contains settings that automate this task.
add machine script = /usr/sbin/useradd -g nogroup -c "NT Machine Account" \ -s /bin/false %m\$
To make sure that Samba can execute this script correctly, choose a Samba
user with the required administrator permissions and add it to the
ntadmin
group. Then all users
belonging to this Linux group can be assigned Domain
Admin
status with the command:
net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin
For more information about this topic, see Chapter 12 of the Samba 3
HOWTO, found in
/usr/share/doc/packages/samba/Samba3-HOWTO.pdf
.
Detailed Samba information is available in the digital documentation.
Enter apropos samba
at the command
line to display some manual pages or just browse the
/usr/share/doc/packages/samba
directory if Samba
documentation is installed for more online documentation and examples.
Find a commented example configuration
(smb.conf.SUSE
) in the examples
subdirectory.
The Samba 3 HOWTO provided by the Samba team includes a section about
troubleshooting. In addition to that, Part V of the document provides a
step-by-step guide to checking your configuration. You can find Samba 3
HOWTO in
/usr/share/doc/packages/samba/Samba3-HOWTO.pdf
after
installing the package samba-doc
.
Also read the Samba page in the openSUSE wiki at http://en.openSUSE.org/Samba.