m (1 revision(s)) |
m (Fixed templates) |
||
Line 23: | Line 23: | ||
=== How Samba Works === | === How Samba Works === | ||
{{ | {{Admon/tip | A detailed explanation of low-level Samba services is beyond the scope of this document. The simplified definition is that Samba utilizes the ''NetBIOS'' API to deliver or respond to ''SMB/CIFS'' calls over the network, thus providing access to the network-shared directory tree, file and print resources. In addition, Samba extends NetBIOS and SMB/CIFS to provide authentication services and LDAP-type directory information.}} | ||
Samba is composed of multiple applications each of which provide a part of Sambas functionality. Three daemons - <code>smbd</code>, <code>nmbd</code>, and <code>winbindd</code> are the main components of Samba. Some of the most commonly used command line Samba tools are <code>smbstatus</code>, <code>smbpasswd</code>, <code>findsmb</code>, <code>nmblookup</code>, <code>net</code>, <code>smbclient</code>, <code>smbtar</code>, and <code>testparm</code>. | Samba is composed of multiple applications each of which provide a part of Sambas functionality. Three daemons - <code>smbd</code>, <code>nmbd</code>, and <code>winbindd</code> are the main components of Samba. Some of the most commonly used command line Samba tools are <code>smbstatus</code>, <code>smbpasswd</code>, <code>findsmb</code>, <code>nmblookup</code>, <code>net</code>, <code>smbclient</code>, <code>smbtar</code>, and <code>testparm</code>. | ||
Line 167: | Line 167: | ||
</pre> | </pre> | ||
{| | {{Admon/warning | Do not change the SELinux context of system directories! | System directories will have different SELinux labels and relabeling them with samba context can severely damage system security and possibly render the system unusable.}} | ||
| System directories will have different SELinux labels and relabeling them with samba context can severely damage system security and possibly render the system unusable. | |||
To check what context a system directory has, use: | To check what context a system directory has, use: | ||
Line 342: | Line 337: | ||
</pre> | </pre> | ||
{{ | {{Admon/tip | The good practice is to create the ''credentials'' file with file permissions set to ''read-only'' for user ''root'' and not accessible to anybody else.}} | ||
The ''root'' is the only user with a permission to run the <code>mount</code> utility. To enable non-privileged users to mount and unmount Samba shares, set SUID on <code>/sbin/mount.cifs</code> and <code>/sbin/umount.cifs</code>. As ''root'', run: | The ''root'' is the only user with a permission to run the <code>mount</code> utility. To enable non-privileged users to mount and unmount Samba shares, set SUID on <code>/sbin/mount.cifs</code> and <code>/sbin/umount.cifs</code>. As ''root'', run: | ||
Line 364: | Line 359: | ||
</pre> | </pre> | ||
{{ | {{Admon/tip | The entry in the ''/etc/fstab'' file accepts the same set of options as the <code>mount</code> command.}} | ||
=== Common Scenarios - Sample Configuration Files === | === Common Scenarios - Sample Configuration Files === | ||
{| | {{Admon/tip | Computer, workgroup, and share names, specified directory paths, user and group names and IP network addresses''' in the following configuration files are entirely arbitrary.}} | ||
==== Read-only shared directory ==== | ==== Read-only shared directory ==== | ||
Line 379: | Line 371: | ||
'''Solution:''' | '''Solution:''' | ||
# Create directory /home/common/policies | |||
# Copy all related documents to /home/common/policies | |||
# Create ''[policies] '' section in ''smb.conf'' that allows anonymous access | |||
Use the following ''smb.conf'' to achieve this: | Use the following ''smb.conf'' to achieve this: | ||
Line 422: | Line 414: | ||
1.#5 Create accounts for three users in the office and add all of them to ''officespace'' group. | 1.#5 Create accounts for three users in the office and add all of them to ''officespace'' group. | ||
{| | {{Admon/tip | Steps 2-5 above ensure that directory structure ''/data/documents'' has SUID and SGID set on it and that all new files created under it will inherit the set ownership and permissions. This allows all users in the office to alter the content of the files, thus not interfering with the file access permissions.}} | ||
1.#6 Create CUPS print queue on the server: | 1.#6 Create CUPS print queue on the server: | ||
Line 438: | Line 427: | ||
...in a ''/etc/cups/mime.types'' file. | ...in a ''/etc/cups/mime.types'' file. | ||
{| | {{Admon/tip | CUPS print queue may not be fully enabled when created. | It is sometimes necessary to force this by issuing the following commands: <code>cupsenable <print_queue></code> and <code>cupsaccept <print_queue></code>}} | ||
| It is sometimes necessary to force this by issuing the following commands: <code>cupsenable <print_queue></code> and <code>cupsaccept <print_queue></code> | |||
1.#7 Create the following ''/etc/smb.conf'' file: | 1.#7 Create the following ''/etc/smb.conf'' file: | ||
Line 480: | Line 463: | ||
</pre> | </pre> | ||
{| | {{Admon/tip | Always use the <code>testparm</code> utility to test syntax/validity of the Samba configuration file, before starting the service!}} | ||
1.#9 Reconfigure workstations to become members of the ''OFFICESPACE'' workgroup and to use Samba-shared printer. | 1.#9 Reconfigure workstations to become members of the ''OFFICESPACE'' workgroup and to use Samba-shared printer. | ||
Line 528: | Line 508: | ||
</pre> | </pre> | ||
{| | {{Admon/tip | Having a Linux password is a prerequisite to creating Samba passwords for users, using the <code>smbpasswd</code> utility. | If a user's Linux password does not exist, the <code>smbpasswd -a <username></code> command is ignored and the Samba password is not set.}} | ||
| If a user's Linux password does not exist, the <code>smbpasswd -a <username></code> command is ignored and the Samba password is not set. | |||
1.#8 Set the appropriate file and directory permissions on shared directories: | 1.#8 Set the appropriate file and directory permissions on shared directories: | ||
Line 548: | Line 523: | ||
chmod o+rwt /home/samba/profiles | chmod o+rwt /home/samba/profiles | ||
</pre> | </pre> | ||
{| | {{Admon/tip | /home/samba/profiles directory must be world-writable for "on-the-fly" creation of the individual profile directories. | The "Sticky bit" ''t'' on this directory prevents users with ''write'' permission on the directory to rename or delete files or directories contained within this directory if the user is not the file or directory owner.}} | ||
| The "Sticky bit" ''t'' on this directory prevents users with ''write'' permission on the directory to rename or delete files or directories contained within this directory if the user is not the file or directory owner. | |||
1.#8 Create appropriate CUPS print queues: | 1.#8 Create appropriate CUPS print queues: | ||
<pre>lpadmin -p prn1 -v socket://192.168.1.11:9100 -E | <pre>lpadmin -p prn1 -v socket://192.168.1.11:9100 -E | ||
Line 782: | Line 752: | ||
For aspiring and accomplished Samba administrators, some essential reading is: [http://samba.org/samba/docs/using_samba/toc.html Using Samba 2nd edition] . It covers Samba releases 2.2.x and 3.0.x. | For aspiring and accomplished Samba administrators, some essential reading is: [http://samba.org/samba/docs/using_samba/toc.html Using Samba 2nd edition] . It covers Samba releases 2.2.x and 3.0.x. | ||
{| | {{Admon/warning | Administering Samba in a large environment would most likely include fair amount of Windows administration, too!}} | ||
Revision as of 01:50, 3 June 2008
Samba
Introduction
Samba is an open source implementation of the SMB
(Server Message Block) protocol. Samba provides the means for resource sharing between networked computers that run different operating systems. As a client, Samba allows Linux/UNIX machines to access resources on Windows or Samba servers. As a server, Samba provides shared resources for Windows or other Samba clients. Historically, Samba provided access to shared resources through the SMBFS
- SMB File System. More recently, SMBFS
has been replaced by the more advanced CIFS
(Common Internet File System), SMB compliant virtual file system. CIFS
utilizes advanced network file system features such as locking, Unicode, hardlinks support and others. With CIFS
, all network functions, including authentication, are provided in the kernel.
Fedora includes version 3.x of Samba. This version is capable of the following:
- Acts as a Windows NT-style
PDC
(Primary Domain Controller) - Provides authentication for Windows domain logins
- Acts as a
BDC
(Backup Domain Controller) for SambaPDC
- Joins Windows NT, Windows 2000/2003 and Samba domain as a member server
- Provides
WINS
(Windows Internet Name Service) name resolution with thenmb
component - Enhances network browsing services
- Joins Windows AD (Active Directory) domain by utilizing
LDAP
and Kerberos services - Acts as a Windows Workgroup server, providing directory trees, files and printers to Windows and Linux/UNIX clients
- Contains built-in Unicode support for internationalization
Current development version (4.x) will address existing limitations of Samba, the most important being the ability of Samba to act as a Windows Active Directory PDC
.
How Samba Works
Samba is composed of multiple applications each of which provide a part of Sambas functionality. Three daemons - smbd
, nmbd
, and winbindd
are the main components of Samba. Some of the most commonly used command line Samba tools are smbstatus
, smbpasswd
, findsmb
, nmblookup
, net
, smbclient
, smbtar
, and testparm
.
Samba Daemons
smbd:: The smbd
daemon is responsible for the management of all shared resources on the Samba server. It provides file, print and browse services for SMB/CIFS
clients including authentication and resource locking.
nmbd:: The nmbd
daemon is the naming service component. nmbd
provides WINS functionality to Windows clients, browse lists in the Network Neighborhood and participates in browser elections on the network.
winbindd:: Together with nsswitch
, the winbindd
service provides access to user and group information stored on the Windows server and is capable of passing a Samba client's authentication requests to the Windows server.
Commonly Used Command Line Utilities
smbstatus:: Reports current connections to shares on a Samba server.
smbpasswd:: Used to set or modify passwords for Samba users.
findsmb:: Used to provide information about SMB/CIFS enabled computers on the network.
nmblookup:: Uses NetBIOS over TCP/IP to translate computer names to IP addresses.
net:: Used for remote administration of Samba servers.
smbclient:: Used by UNIX/Linux client computers to connect to Samba or Windows shared resources.
smbtar:: Utility used to backup data that resides on Samba shares.
testparm:: Utility used to check the syntax of the Samba configuration file (smb.conf).
Instaling Samba Server
The default Fedora installation does not include Samba server. To install Samba, run:
su -c "yum install samba"
and enter the root
password when prompted. This command will install the two packages needed to run a Samba server:
- samba-common
- samba
The samba
package installs the actual Samba server, while the samba-common
package includes additional files needed by the Samba server and Samba client. There are two additional optional packages that can also be installed:
- samba-client
- system-config-samba
The samba-client
package provides client-side Samba functionality to a Fedora machine. The package allows connectivity to remote Samba or Windows shares with the smbclient
command line utility. The system-config-samba
package provides a graphical interface to aid with Samba server configuration. This utility is capable of configuring a very limited set of Samba server options and is not covered in this document.
smb.conf
The main configuration file is /etc/samba/smb.conf
. It includes a sensible set of configuration options which should be able to cover most, if not all, scenarios. The smb.conf
file accepts two types of comments:
- hash symbol (
#
) is usually used to denote actual comments - semicolon (;) is usually used to denote unused configuration options
Configuration options are in the format:
name = value
Lines that contain only whitespace are ignored.
smb.conf
file is divided into sections. Each section begins with the section name in brackets and continues until the beginning of the next section. There are three special sections:
[global] section:: Contains configuration parameters for the entire Samba server. [homes] section:: When defined in the configuration file, this section allows clients to quickly access their home directories. [printers] section:: When defined allows users to connect to printers specified in the Samba server's local printcap file.
Samba Configuration
Samba configuration can be customized based on network requirements. This section provides some sample configurations for various Samba implementations, including:
- Standalone workgroup server
- Domain member server (Windows NT-style)
- Primary Domain Controller (Windows NT-style)
- Domain member server in the Windows AD domain
Samba Security Modes
A good understanding of how Samba implements security is essential for proper deployment of a Samba server. Windows NT/2000/2003 SMB (CIFS) only implements two security levels, user-level and share-level security, Samba provides more flexibility by extending Windows-based SMB/CIFS security through its Security Modes. Samba security modes are configured through the smb.conf parameter:
security = <mode>
The available modes are:
share:: In this mode, client must authenticate against each share. In a Windows world, the share password is set on the share itself. This means that client does not have to pass the username along with the connection request. Samba always uses the username/password combination, provided through the underlying Linux authentication method - /etc/passwd or /etc/nsswitch.conf. For this mode the smb.conf entry is:
security = share
user:: This is Samba's default security mode. In this mode, authentication is based on the username/password combination. When a client makes a request for a shared resource, the Samba server doesn't "know" which share an authenticating client is allowed to access. For this mode the smb.conf entry is:
security = user
server:: Although still valid, the server security mode is a "legacy" mode, a leftover from times when the Samba software was not able to become a domain member server. This mode allows a Samba server to authenticate connecting clients against the Windows NT-style PDC. There are many shortcomings, the possibility of "account lockout" on the Windows PDC, no assurance that the PDC is the actual machine specified, no support for winbindd/remote user profiles, etc. In this mode, Samba appears to be in a user security mode to the clients, while actually passing all the authentication to the PDC. For server security mode to work, two additional parameters must be specified in an smb.conf file:
encrypt passwords = yes security = server password server = PDC-NetBIOS-name
domain:: Domain security mode is the mechanism that provides a central database for all user, group and machine account information. This database is stored on the machines that participate in a domain as Domain Controllers. The PDC is responsible for maintaining the integrity of the database and sending regular updates to servers that act as Backup Domain Controllers. The BDC
is used for performing account authentication, thus offloading a significant amount of work from the Primary Domain Controller. This is very important for redundancy of large environments, particularly those where a single domain spreads across different physical locations. Having a BDC
allows for uninterrupted logins even if the network link to PDC is "down". Samba participates in a domain security mode by virtue of a machine trust account stored in a domain accounts database. This allows a Samba server configured as a BDC
to authenticate clients or pass the authentication to the Domain Controller if it is configured as a Domain Member Server. Samba servers must join a Windows based domain before it can be configured for domain security mode. To configure Samba for Domain security mode:
To /etc/samba/smb.conf add:
security = domain workgroup = <Domain-Name>
On a Windows PDC, use Server Manager to add the Samba server's machine account to the domain database. On the Samba server run:
net rpc join -U administrator%password
It is not necessary to specify the actual domain name using the previous command - this information is retrieved from a smb.conf file. ADS:: ADS security mode dictates that Samba server must join Windows Active Directory domain. To join ADS domain, create Samba server's account in a ADS:
net ads join -U Administrator
Samba is able to join AD domain as an either NT-style AD domain member using NT style security (if AD is running in a native mode) or as a native AD domain member, which requires Kerberos based authentication services. The latter may be required for domains where security policy prohibits RPC based authentication (NT-style). smb.conf entry is:
security = ADS realm = <some.kerberos.realm> encrypt passwords = yes
Samba is sometimes not able to identify the authentication server from its Kerberos realm name. This often happens on networks with Linux/UNIX style DNS servers if they are not configured to handle the non-standard DNS requirements of the Windows AD DNS implementation. In this case, add the following parameter to the smb.conf:
password server = <kerberos.server.name>
Important Notes For Systems With SELinux Enabled
To achieve proper operation of Samba on SELinux enabled systems follow these few rules:
- If you create a directory that you want to share, label it with the
samba_share_t
context:
chcon -R -t samba_share_t /home/newdir
To check what context a system directory has, use:
ls -lZd /path-to-systemdir
- To share a system directory, use one of the following:
setsebool -P samba_export_all_ro on
... to provide read-only shares or ...
setsebool -P samba_export_all_rw on
... to provide read-write access to shares.
- SELinux disables by default sharing home directories. To enable sharing of home directories, run:
setsebool -P samba_enable_home_dirs on
- To enable the correct operation of Fedora user account command line utilities such as
useradd
, which allows Samba to run as a domain controller, run:
setsebool -P samba_domain_controller on
Security Considerations
There are several ways to address the security of a Samba server:
- Interface protection
- Host based protection
- User based protection
- Firewall protection
Interface Protection
Add the following parameters to the smb.conf to define which interfaces the Samba services listen on:
interfaces = eth0 lo bind interfaces only = yes
In the example above, Samba will only listen on the loopback interface and the first Ethernet NIC and ignores all other network interfaces that might be present on the system.
Host Based Protection
Samba by default, accepts connections from all hosts. To restrict access to a Samba server from only the desired hosts or subnets, configure the following paarmeters:
hosts allow = 127.0.0.1 192.168.1.0/24 hosts deny = 0.0.0.0/0
This will allow access to the Samba server only to localhost and hosts on the 192.168.1. subnet.
User Based Protection
To restrict user access to Samba shares globally, use the following parameter in the [global] section of the smb.conf file:
valid users = user1, otheruser, @smballowed
The above configuration allows access to a Samba server to users user1, otheruser, and users who are members of the smballowed user group.
Firewall Protection
A good practice for securing a Samba server is to use firewall protection combined with Samba-specific protection as described in the previous section. To configure iptables
firewall access to a Samba server from the 192.168.1.0/24 subnet, add the following rules:
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 137 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 138 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 139 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
Samba communicates through:
- 137/UDP port - used by nmbd for NetBIOS name resolution
- 138/UDP port - used by nmbd for NetBIOS network browsing
- 139/TCP port - used by smbd for NetBIOS session service
- 445/TCP port - used by smbd for Microsoft Active Directory services
Inbound traffic on high-order ports [1024:65535] should be denied except for established connections.
Samba And CUPS (Common Unix Printing System)
For detailed CUPS printing instructions, see Using the Common UNIX Printing System . This section covers some capabilities of the CUPS printing system related to Samba.
Basic Features
Samba is pre-compiled with support for CUPS printing. This integration simplifies print serving to SMB/CIFS clients. In a simple scenario, Samba presents CUPS printer queues to the SMB/CIFS clients and passes received print jobs directly to the CUPS for printing. This scenario assumes the SMB/CIFS clients have the appropriate printer drivers installed and are capable of producing print jobs in a format that the printer device understands. In this scenario, the [global] section of the smb.conf file requires only two parameters:
printing = cups printcap = cups
Printer devices are configured in the [printers] section. For small environments with few printer devices that do not have any specific printing requirements the default [printers] section be sufficients. Samba and CUPS provide a lot of flexibility and each individual printer can be configured through its own [printer] which overrides settings in the [global] . One common example is the need to allow only a set of users or user groups in the organization to print to a device:
[global] printing = cups printcap = cups [printers] comment = all printers path = /var/spool/samba printable = yes guest ok = yes use client driver = yes [restricted_printer] comment = color laser path = /var/spool/samba browseable = no printable = yes guest ok = no valid users = @marketing, boss use client driver = yes
In the above example, only the user boss and members of the marketing group are allowed to print to the color laser printer.
Advanced Features
Integration of Samba and CUPS printing allows for advanced configurations that provide robust printing solutions, suitable for enterprise environments. For detailed guides and tutorials about the advanced features, refer to the Additional Information section at the bottom of the page.
Samba Linux Client Utilities
To view the list of SMB/CIFS shares on a particular host, run:
smbclient -L <hostname>
To connect to the Samba share on a particular host, run:
smbclient //<hostname>/<sharename>
...and enter the Samba password when prompted. To connect to the Samba share as a different user, specify the user name as an argument to the -U command option:
smbclient -U <userX> //<hostname>/<sharename>
...and enter userX's samba password when prompted. To mount the Samba share on the local directory, as root run:
mount -t cifs //<hostname>/<sharename> /<localdir> -o user=userX
...and enter userX's samba password when prompted. If mounting Samba share in this fashion, userX will likely encounter various issues with file permissions on the mounted /<localdir>. To avoid these issues, pass the additional options to the mount
command:
mount -t cifs //<hostname>/<sharename> /<localdir> -o user=userX,uid=<UID>,file_mode=0644
...where <UID> is a numerical user ID of the userX's local account on the client machine. It is also possible to pass the userX's Samba password as an option to the mount
command:
mount -t cifs //<hostname>/<sharename> /<localdir> -o user=userX,password=<password>,uid=<UID>,file_mode=0644
...and avoid the password prompt on every mount
attempt. However, this is not recommended, since the actual password might be visible to the others. The recommended way is to use the credentials option:
mount -t cifs //<hostname>/<sharename> /<localdir> -o credentials=<path_to_the_credentials_file>,uid=<UID>,file_mode=0644
The credentials file is an ASCII text file of the format:
username=<samba-user> password=<samba-password>
The root is the only user with a permission to run the mount
utility. To enable non-privileged users to mount and unmount Samba shares, set SUID on /sbin/mount.cifs
and /sbin/umount.cifs
. As root, run:
chmod u+s /sbin/mount.cifs /sbin/umount.cifs
Once set, user can use mount.cifs
to mount Samba shares:
/sbin/mount.cifs //<hostname>/<sharename> /<localdir> -o credentials=<path_to_the_credentials_file>,uid=<UID>,file_mode=0644
...or umount.cifs
to unmount the share:
/sbin/umount.cifs /<localdir>
To mount Samba shares at boot time, edit the /etc/fstab file and add the line:
//<hostname>/<sharename> /<localdir> cifs <option1>,<option2>,...,<optionX> 0 0
Common Scenarios - Sample Configuration Files
Requirement: Allow all users to view company's policies on Internet and Email usage, without the ability to alter files.
Solution:
- Create directory /home/common/policies
- Copy all related documents to /home/common/policies
- Create [policies] section in smb.conf that allows anonymous access
Use the following smb.conf to achieve this:
[global] workgroup = BIGBROTHER security = share [policies] path = /home/common/policies read only = yes guest ok = yes
Small Office Network
Environment: Translation services office with three client PCs (Windows XP) networked in an OFFICESPACE workgroup. MS Word documents and MS Excel spreadsheets are shared from each PC. Network-capable laser printer that accepts direct printing from workstations.
Requirements: Provide central storage for documents, writable for all users and centrally managed raw print queue, with print drivers locally installed on each workstation.
Solution:
1. Install Fedora and Samba server on a new server 1. Create group officespace on the server:
groupadd officespace
1.#3 Create user milton on the server:
useradd milton passwd milton Changing password for user milton. New UNIX password: ******** Retype new UNIX password: ******** passwd: all authentication tokens updated successfully.
1.#4 Create directory structure that will contain documentation and be shared via Samba:
mkdir -p /data/documents/{translations,spreadsheets} chown -R milton.officespace /data/documents chmod -R ug+rwxs,o+rx,o-w /datadocuments
1.#5 Create accounts for three users in the office and add all of them to officespace group.
1.#6 Create CUPS print queue on the server:
lpadmin -p prn1 -v socket://192.168.1.11:9100 -E
...and enable CUPS queue for raw printing by uncommenting the line:
#application/octet-stream application/vnd.cups-raw 0 -
...in a /etc/cups/mime.convs file and uncommenting the line:
#application/octet-stream
...in a /etc/cups/mime.types file.
1.#7 Create the following /etc/smb.conf file:
[global] workgroup = OFFICESPACE netbios name = Stapler server string = Office Samba Server security = share load printers = yes printing = CUPS printcap name = CUPS [documents] comment = Office Documentation path = /data/documents read only = no force user = milton force group = officespace [printers] comment = Laser Print Spool path = /var/spool/samba printable = yes guest ok = yes use client driver = yes
1.#8 Enable Samba and print daemons at boot time:
chkconfig smb on chkconfig cups on
...and start both services:
service smb start service cups start
1.#9 Reconfigure workstations to become members of the OFFICESPACE workgroup and to use Samba-shared printer.
NT-style Domain
Environment: Corporate headquarters, with 50 users, 60 Windows XP and Fedora client computers, used in Sales and Marketing, Finance, Information Services and Management departments. Several HP Laser Jet printers and a color laser printer. Subnet address is 192.168.1.0/24. IP addresses 192.168.1.2 - 192.168.1.10 are reserved for various servers, .10 for Samba server. IP addresses 192.168.1.11-192.168.1.20 are reserved for network printers. DHCP server assigns host address from the address pool 192.168.1.101 - 192.168.1.200 to client computers.
Requirements:
- NT Domain-like logon services, using encrypted passwords
- Each department has own file storage area, writable only by users from that department and accessible read-only by Management
- Each user has own home drive, accessible only by user and not visible by anybody else
- Common file storage area, writable for all users
- Server-based user profiles for Windows users, providing the ability to use any Windows PC on the network, while retaining access to their own settings and data
- Dedicated printers for Management and Finance, not accessible to other departments
- Dedicated color printer for Marketing
Solution:
1. Install Fedora and Samba server on a dedicated server computer
1. Configure network interface eth0 with the IP address 192.168.1.10/24
1. Configure iptables
firewall to deny access to all services, except for ports 137, 138 (UDP) and 139, 445 (TCP)
1. Create the following directories for Samba shares:
mkdir /home/{management,finance,technical,sales,general}
...and the directory for storing user profiles:
mkdir -p /home/samba/profiles
1.#5 Create user groups: management, sales, finance, technical, general:
for i in management sales finance technical general do groupadd $i done
...and corresponding user accounts, needed for simplified management of file permissions on shared directories:
for i in management sales finance technical general do useradd -g $i $i done
1.#6 Create Linux accounts for users, so that a user's primary group is the user's department group and a secondary group is general. Windows users do not need a shell environment on a Samba server while IS team members all use Fedora clients and often require access to the Samba server through terminal based SSH sessions, thus need full a shell environment on the server. Examples:
useradd -g finance -G general -d /home/users/payroll_guy -s /bin/false payroll_guy useradd -g technical -G general -d /home/users/stickster -s /bin/bash stickster
1.#7 Set Linux passwords for each user:
passwd <username>
1.#8 Set the appropriate file and directory permissions on shared directories:
chown -R finance.finance /home/finance chmod -R ug+rwxs,o+rx,o-w /home/finance chown -R management.management /home/management chmod -R ug+rwxs,o-rwx /home/management chown -R sales.sales /home/sales chmod -R ug+rwxs,o+rx,o-w /home/sales chown -R technical.technical /home/technical chmod -R ug+rwxs,o+rx,o-w /home/technical chown -R general.general /home/general chmod -R ug+rwxs,o+rx,o-w /home/general chmod o+rwt /home/samba/profiles
1.#8 Create appropriate CUPS print queues:
lpadmin -p prn1 -v socket://192.168.1.11:9100 -E lpadmin -p prn2 -v socket://192.168.1.12:9100 -E lpadmin -p prn3 -v socket://192.168.1.13:9100 -E lpadmin -p prn4 -v socket://192.168.1.14:9100 -E for i in prn{1,2,3,4} do cupsenable $i done for i in prn{1,2,3,4} do cupsaccept $i done
1.#9 Configure SELinux to allow Samba shares. Allow sharing of previously created directories:
for dir in management finance technical sales general; do chcon -R -t samba_share_t /home/$dir; done
Enable sharing of home directories:
setsebool -P samba_enable_home_dirs on
Enable Samba Domain operations:
setsebool -P samba_domain_controller on
1.#10 Move default smb.conf file and use it as a help reference:
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
1.#11 Create new /etc/samba/smb.conf file:
[global] workgroup = CORPHQ netbios name = WEREWOLF server string = Corporate Samba Domain Controller admin users = root, stickster hosts allow = 127.0.0.1 192.168.1.0/24 printing = cups printcap name = cups load printers = yes log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security = user passdb backend = tdbsam domain logons = yes domain master = yes logon path = \\%L\Profiles\%U logon drive = H: add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u name resolve order = wins lmhosts bcast wins support = yes wins proxy = no hide dot files = yes [homes] comment = Home Directories browseable = no writable = yes [Profiles] path = /home/samba/profiles read only = No create mask = 0700 directory mask = 0700 [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no printable = yes use client driver = yes [management] comment = Managment Share browseable = yes writable = yes path = /home/management valid users = @management force user = management force group = management create mask = 0770 directory mask = 0770 [finance] comment = Finance Share browseable = yes writable = yes path = /home/finance valid users = @finance read list = @management force user = finance force group = finance create mask = 0770 directory mask = 0770 [general] comment = General Share browseable = yes writable = yes path = /home/groups/general valid users = @general read list = @management force user = general force group = general create mask = 0770 directory mask = 0770 [technical] comment = Technical Share browseable = yes writable = yes path = /home/groups/technical valid users = @technical read list = @management write list = @technical force user = technical force group = technical create mask = 0775 directory mask = 0775 [Sales] comment = Sales And Marketing Share browseable = yes writable = yes path = /home/groups/sales valid users = @sales read list = @management force user = sales force group = sales create mask = 0770 directory mask = 0770 [prn1] comment = Management Department Printer path = /var/spool/samba browseable = no printable = yes guest ok = no valid users = @management use client driver = yes [prn2] comment = Finance Department Printer path = /var/spool/samba browseable = no printable = yes guest ok = no valid users = @finance use client driver = yes [prn3] comment = Sales Department Printer path = /var/spool/samba browseable = no printable = yes guest ok = no valid users = @sales use client driver = yes
1.#12 Create Samba accounts for all users:
smbpasswd -a <username>
Enter the user's password when prompted.
1.#13 Enable the Samba and print daemons at boot time:
chkconfig smb on chkconfig cups on
...and start both services:
service smb start service cups start
Additional Information
Detailed Samba documentation, tutorials and FAQs are located at:
Related Web Sites
Related Manuals
Find more about specific Samba daemons and client-side utilities from the man pages included with Samba installation:
- smbd(8)
- nmbd(8)
- winbindd(8)
- samba_selinux(8)
- smb.conf(5)
- smbclient(1)
- smbstatus(1)
- smbpasswd(8)
- findsmb(1)
- nmblookup(1)
- net(8)
- smbtar(1)
- testparm(1)
Further Reading
For aspiring and accomplished Samba administrators, some essential reading is: Using Samba 2nd edition . It covers Samba releases 2.2.x and 3.0.x.