The default configuration file
(/etc/samba/smb.conf) allows users to view their
home directories as a Samba share. It also shares all printers
configured for the system as Samba shared printers. In other words, you
can attach a printer to the system and print to it from the Windows
machines on your network.
To configure Samba using a graphical interface, use the
Samba Server Configuration Tool. For command line configuration,
skip to Section 23.2.2 Command Line Configuration.
The Samba Server Configuration Tool is a graphical interface
for managing Samba shares, users, and basic server settings. It
modifies the configuration files in the
/etc/samba/ directory. Any changes to these files
not made using the application are preserved.
To use this application, you must be running the X Window System, have
root privileges, and have the system-config-samba
RPM package installed. To start the
Samba Server Configuration Tool from the desktop, go to the
Main Menu Button (on the Panel) =>
System Settings =>
Server Settings =>
Samba or type the command
system-config-samba at a shell prompt (for example,
in an XTerm or a GNOME terminal).
Figure 23-1. Samba Server Configuration Tool
Note
The Samba Server Configuration Tool does not display shared
printers or the default stanza that allows users to view their own
home directories on the Samba server.
The first step in configuring a Samba server is to configure the
basic settings for the server and a few security options. After
starting the application, select Preferences =>
Server Settings from the pulldown
menu. The Basic tab is displayed as shown in
Figure 23-2.
Figure 23-2. Configuring Basic Server Settings
On the Basic tab, specify which workgroup the
computer should be in as well as a brief description of the
computer. They correspond to the workgroup and
server string options in
smb.conf.
Figure 23-3. Configuring Security Server Settings
The Security tab contains the following
options:
Authentication Mode — This
corresponds to the security option. Select
one of the following types of authentication.
ADS — The Samba server acts
as a domain member in an Active Directory Domain (ADS)
realm. For this option, Kerberos must be installed and
configured on the server, and Samba must become a member of
the ADS realm using the net utility, which
is part of the samba-client
package. Refer to the net man page for
details. This option does not configure Samba to be an ADS
Controller. Specify the realm of the Kerberos server in the
Kerberos Realm field.
Note
The Kerberos Realm field must be
supplied in all uppercase letters, such as
EXAMPLE.COM.
Use of your Samba server as a domain member in an ADS
realm assumes proper configuration of Kerberos, including
the /etc/krb5.conf file.
Domain — The Samba server
relies on a Windows NT Primary or Backup Domain Controller to
verify the user. The server passes the username and password
to the Controller and waits for it to return. Specify the
NetBIOS name of the Primary or Backup Domain Controller in the
Authentication Server field.
The Encrypted Passwords option must
be set to Yes if this is selected.
Server — The Samba server
tries to verify the username and password combination by
passing them to another Samba server. If it can not, the
server tries to verify using the user authentication
mode. Specify the NetBIOS name of the other Samba server in
the Authentication Server field.
Share — Samba users do not
have to enter a username and password combination on a per
Samba server basis. They are not prompted for a username and
password until they try to connect to a specific shared
directory from a Samba server.
User — (Default) Samba users
must provide a valid username and password on a per Samba
server basis. Select this option if you want the
Windows Username option to work. Refer
to Section 23.2.1.2 Managing Samba Users for details.
Encrypt Passwords — This option
must be enabled if the clients are connecting from a system with
Windows 98, Windows NT 4.0 with Service Pack 3, or other more
recent versions of Microsoft Windows. The passwords are
transfered between the server and the client in an encrypted
format instead of as a plain-text word that can be
intercepted. This corresponds to the encrypted
passwords option. Refer to Section 23.2.3 Encrypted Passwords for more information
about encrypted Samba passwords.
Guest Account — When users or
guest users log into a Samba server, they must be mapped to a
valid user on the server. Select one of the existing usernames on
the system to be the guest Samba account. When guests log in to
the Samba server, they have the same privileges as this
user. This corresponds to the guest account
option.
After clicking OK, the changes are written to
the configuration file and the daemon is restart; thus, the changes
take effect immediately.
The Samba Server Configuration Tool requires that an
existing user account be active on the system acting as the
Samba server before a Samba user can be added. The Samba user is
associated with the existing user account.
Figure 23-4. Managing Samba Users
To add a Samba user, select Preferences =>
Samba Users from the pulldown menu, and
click the Add User button. In the
Create New Samba User window select a
Unix Username from the list of existing users
on the local system.
If the user has a different username on a Windows machine and needs
to log into the Samba server from the Windows machine, specify
that Windows username in the Windows Username
field. The Authentication Mode on the
Security tab of the Server
Settings preferences must be set to
User for this option to work.
Also configure a Samba Password for the Samba
User and confirm it by typing it again. Even if you
select to use encrypted passwords for Samba, it is recommended that
the Samba passwords for all users are different from their
system passwords.
To edit an existing user, select the user from the list, and click
Edit User. To delete an existing Samba user,
select the user, and click the Delete User
button. Deleting a Samba user does not delete the associated system
user account.
The users are modified immediately after clicking the
OK button.
To create a Samba share, click the Add button
from the main Samba configuration window.
Figure 23-5. Adding a Share
The Basic tab configures the following options:
Directory — The directory to
share via Samba. The directory must exist before it can be entered
here.
Share name — The actual name of
the share that is seen from remote machines. By default, it is the
same value as Directory, but can be
configured.
Descriptions — A brief
description of the share.
Basic Permissions — Whether users
should only be able to read the files in the shared directory or
whether they should be able to read and write to the shared
directory.
On the Access tab, select whether to allow only
specified users to access the share or whether to allow all Samba
users to access the share. If you select to allow access to specific
users, select the users from the list of available Samba users.
Samba uses /etc/samba/smb.conf as its configuration
file. If you change this configuration file, the changes do not take
effect until you restart the Samba daemon with the command
service smb restart.
To specify the Windows workgroup and a brief description of the Samba
server, edit the following lines in your smb.conf
file:
workgroup = WORKGROUPNAME
server string = BRIEF COMMENT ABOUT SERVER
Replace WORKGROUPNAME with the name of the
Windows workgroup to which this machine should belong. The
BRIEF COMMENT ABOUT SERVER is optional and
is used as the Windows comment about the Samba system.
To create a Samba share directory on your Linux system, add the
following section to your smb.conf file (after
modifying it to reflect your needs and your system):
[sharename]
comment = Insert a comment here
path = /home/share/
valid users = tfox carole
public = no
writable = yes
printable = no
create mask = 0765
The above example allows the users tfox and carole to read and write to
the directory /home/share, on the Samba server,
from a Samba client.
Encrypted passwords are enabled by default because
it is more secure. If encrypted passwords are not used, plain text
passwords are used, which can be intercepted by someone using a
network packet sniffer. It is recommended that encrypted passwords be
used.
The Microsoft SMB Protocol originally used plain text passwords.
However, Windows NT 4.0 with Service Pack 3 or higher, Windows 98,
Windows 2000, Windows ME, and Windows XP require encrypted Samba
passwords. To use Samba between a Linux system and a system running
one of these Windows operating systems, you can either edit your
Windows registry to use plaintext passwords or configure Samba on your
Linux system to use encrypted passwords. If you choose to modify your
registry, you must do so for all of your Windows machines — this
is risky and may cause further conflicts. It is recommended that you
use encrypted passwords for better security.
To configure Samba to use encrypted passwords, follow these steps:
Create a separate password file for Samba. To create one
based on your existing /etc/passwd file, at a
shell prompt, type the following command:
The mksmbpasswd.sh script is
installed in your /usr/bin directory with
the samba package.
Change the permissions of the Samba password file so that only
root has read and write permissions:
chmod 600 /etc/samba/smbpasswd
The script does not copy user passwords to the new file, and a
Samba user account is not active until a password is set for it.
For higher security, it is recommended that the user's Samba
password be different from the user's system password. To set each
Samba user's password, use the following command (replace
username with each user's username):
smbpasswd username
Encrypted passwords must be enabled. Since they are enabled by
default, they do not have to be specifically enabled in the
configuration file. However, they can not be disabled in the
configuration file either. In the file
/etc/samba/smb.conf, verify that the
following line does not exist:
encrypt passwords = no
If it does exist but is commented out with a semi-colon
(;) at the beginning of the line,
then the line is ignored, and encrypted passwords are enabled. If
this line exists but is not commented out, either remove it or
comment it out.
To specifically enable encrypted passwords in the configuration
file, add the following lines to
etc/samba/smb.conf:
Make sure the smb service is started by
typing the command service smb restart at a
shell prompt.
If you want the smb service to start
automatically, use ntsysv,
chkconfig, or the
Services Configuration Tool to enable it at
runtime. Refer to Chapter 20 Controlling Access to Services for details.
The pam_smbpass PAM module can be used to sync
users' Samba passwords with their system passwords when the
passwd command is used. If a user invokes the
passwd command, the password he uses to log in to
the Red Hat Enterprise Linux system as well as the password he must provide to connect to
a Samba share are changed.
To enable this feature, add the following line to
/etc/pam.d/system-auth below the
pam_cracklib.so invocation:
On the server that is sharing directories via Samba, the
smb service must be running.
View the status of the Samba daemon with the following command:
/sbin/service smb status
Start the daemon with the following command:
/sbin/service smb start
Stop the daemon with the following command:
/sbin/service smb stop
To start the smb service at boot time, use the command:
/sbin/chkconfig --level 345 smb on
You can also use chkconfig,
ntsysv, or the
Services Configuration Tool to configure which
services start at boot time. Refer to Chapter 20 Controlling Access to Services for
details.
Tip
To view active connections to the system, execute the command
smbstatus.
