|
|
|
|
35.3 Configuring a Samba Server
A samba server in SUSE® Linux Enterprise can be configured in two
different ways: with YaST or manually.
Manual configuration offers a higher level of detail, but
lacks the convenience of the
YaST GUI.
35.3.1 Configuring a Samba Server with YaST
To configure a Samba server, start
YaST and select . When starting the module for
the first time, the dialog
starts, prompting you to make just a few basic decisions concerning
administration of the server then at the end of the configuration
prompts for the password of Samba root. For later starts,
the dialog appears.
The dialog consists of two steps:
- Workgroup or Domain
Name
-
Select an
existing name from
or enter a new one and click
.
- Samba Server Type
-
In the next step, specify whether your
server should act as PDC and click
.
You can change all settings from later in the
dialog with the
tab.
Advanced Samba Configuration with YaST
During first start of Samba server module the
dialog appears
directly after
dialog. Use it to adjust your Samba server configuration.
After editing your configuration, click to
close the configuration.
Starting the Server
In the tab, configure the
start of the Samba server. To start the service every time
your system boots, select . To
activate manual start, choose .
More information about starting a Samba server is provided
in Section 35.2,
Starting and Stopping Samba.
In this tab, you can also open ports in
your firewall. To do so, select . If you have multiple network
interfaces, select the network interface for
Samba services by clicking
, selecting the
interfaces, and clicking .
Shares
In the tab, determine the Samba
shares to activate. There are some predefined shares, like
homes and printers. Use
to switch between and
. Click
to add new shares and
to delete the selected share.
Identity
In the
tab, you can
determine the domain with which the host is associated
() and
whether to use an alternative hostname in the network
(). To set expert global settings or
set user
authentication, click .
35.3.2 Web Administration with SWAT
An alterative tool for Samba server administration is SWAT (Samba Web
Administration Tool).
It provides a simple Web interface with which to configure the
Samba server. To use SWAT,
open https://localhost:901 in a Web browser and log in as
user root.
If you do not have a special Samba root account, use the system
root account.
NOTE: Activating SWAT
After Samba server installation, SWAT is not
activated. To activate it, open
in YaST, enable the network services configuration,
select from the table, and click .
35.3.3 Configuring the Server Manually
If you intend to use Samba as a server,
install samba.
The main configuration file of Samba is
/etc/samba/smb.conf. This file can be divided into two
logical parts. The [global] section contains the central
and global settings. The [share] sections contain the
individual file and printer shares. By means of this approach, details
regarding the shares can be set differently or globally in the
[global] section, which enhances the structural
transparency of the configuration file.
The global Section
The following parameters of the [global] section
need some adjustment to match the requirements of your network setup so
other machines can access your Samba server via
SMB in a Windows environment.
- workgroup = TUX-NET
-
This line assigns the Samba server to a
workgroup. Replace TUX-NET with an
appropriate workgroup of your networking environment. Your
Samba server appears under its DNS name
unless this name has been assigned to any other machine in the
network. If the DNS name is not available, set the server name using
netbiosname=MYNAME. See
mansmb.conf for more details about
this parameter.
- os level = 2
-
This parameter triggers whether your
Samba server tries to become LMB (local
master browser) for its workgroup. Choose a very low value to
spare the existing Windows network from any disturbances caused by a
misconfigured Samba server. More information
about this important topic can be found in the files
BROWSING.txt and
BROWSING-Config.txt under the
textdocs subdirectory of the package
documentation.
If no other SMB server is present in your network (such as a Windows NT
or 2000 server) and you want the Samba
server to keep a list of all systems present in the local environment,
set the os level to a higher value (for example,
65). Your Samba server
is then chosen as LMB for your local network.
When changing this setting, consider carefully how this could
affect an existing Windows network environment. First test
the changes in an isolated network or at a noncritical time of day.
- wins support and wins server
-
To integrate your Samba
server into an existing Windows network with an active WINS server,
enable the wins server option and set its value
to the IP address of that WINS server.
If your Windows machines are connected to separate subnets and
should still be aware of each other, you need to set up a WINS server.
To turn a Samba server into such a WINS
server, set the option wins support = Yes. Make sure
that only one Samba server of the network has
this setting enabled.
The options wins server and wins
support must never be enabled at the same time in your
smb.conf file.
Shares
The following examples illustrate how a CD-ROM drive and the user
directories (homes) are made available to
the SMB clients.
- [cdrom]
-
To avoid having the CD-ROM drive accidentally made available, these
lines are deactivated with comment marks (semicolons in this case).
Remove the semicolons in the first column to share the CD-ROM drive with
Samba.
Example 35-1
A CD-ROM Share
;[cdrom]
; comment = Linux CD-ROM
; path = /media/cdrom
; locking = No
- [cdrom] and comment
-
The entry [cdrom] is the name of the share
that can be seen by all SMB clients on the network. An additional
comment can be added to further describe the
share.
- path = /media/cdrom
-
path exports the directory
/media/cdrom.
By means of a very restrictive default configuration, this kind of
share is only made available to the users present on this system. If
this share should be made available to everybody, add a line
guest ok = yes to the configuration. This setting
gives read permissions to anyone on the network. It is recommended to
handle this parameter with great care. This applies even more to the use
of this parameter in the [global]
section.
- [homes]
-
The [home] share is of special
importance here. If the user has a valid account and password for the
Linux file server and his own home directory, he can be connected to
it.
Example 35-2
homes Share
[homes]
comment = Home Directories
valid users = %S
browseable = No
read only = No
create mask = 0640
directory mask = 0750
- [homes]
-
As long as there is no other share using the share name of the
user connecting to the SMB server, a share is dynamically generated
using the [homes] share directives. The resulting
name of the share is the username.
- valid users = %S
-
%S is replaced with the concrete name of the
share as soon as a connection has been successfully established. For
a [homes] share, this is always the
username. As a consequence, access rights to a user's share
are restricted exclusively to the user.
- browseable = No
-
This setting makes the share invisible in the network
environment.
- read only = No
-
By default, Samba prohibits write
access to any exported share by means of the read only =
Yes parameter. To make a share writable, set the value
read only = No, which is synonymous with
writable = Yes.
- create mask = 0640
-
Systems that are not based on MS Windows NT do not understand
the concept of UNIX permissions, so they cannot assign permissions
when creating a file. The parameter create mask
defines the access permissions assigned to newly created files. This
only applies to writable shares. In effect, this setting means the
owner has read and write permissions and the members of the owner's
primary group have read permissions. valid users =
%S prevents read access even if the group has read
permissions. For the group to have read or write
access, deactivate the line valid users = %S.
Security Levels
To improve security, each share access can be
protected with a password. SMB has three possible ways of checking the
permissions:
- Share Level Security (security = share)
-
A password is firmly assigned to a share. Everyone who knows this
password has access to that share.
- User Level Security (security = user)
-
This variation introduces the concept of the user to SMB. Each user
must register with the server with his own password. After registration,
the server can grant access to individual exported shares dependent on
usernames.
- Server Level Security (security = server):
-
To its clients, Samba pretends to be
working in user level mode. However, it passes all password queries to
another user level mode server, which takes care of authentication. This
setting expects an additional parameter (password
server).
The selection of share, user, or server level security applies
to the entire server. It is not possible to offer individual shares of a
server configuration with share level security and others with user level
security. However, you can run a separate Samba
server for each configured IP address on a system.
More information about this subject can be found in the Samba HOWTO
Collection. For multiple servers on one system, pay attention to
the options interfaces and bind interfaces
only.
|
|
|