19.6. Samba Server Types and the smb.conf File

19.6. Samba Server Types and the smb.conf File

19.6. Samba Server Types and the smb.conf File

Samba configuration is straightforward. All modifications to Samba are done in the /etc/samba/smb.conf configuration file. Although the default smb.conf file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.

The following sections describe the different ways a Samba server can be configured. Keep in mind your needs and the changes required to the smb.conf file for a successful configuration.

19.6.1. Stand-alone Server

A stand-alone server can be a workgroup server or a member of a workgroup environment. A stand-alone server is not a domain controller and does not participate in a domain in any way. The following examples include several anonymous share-level security configurations and one user-level security configuration. For more information on share-level and user-level security modes, refer to Section 19.7, “Samba Security Modes”.

19.6.1.1. Anonymous Read-Only

The following smb.conf file shows a sample configuration needed to implement anonymous read-only file sharing. The security = share parameter makes a share anonymous. Note, security levels for a single Samba server cannot be mixed. The security directive is a global Samba parameter located in the [global] configuration section of the smb.conf file.

[global] 
workgroup = DOCS 
netbios name = DOCS_SRV 
security = share  
[data] 
comment = Documentation Samba Server 
path = /export 
read only = Yes 
guest only = Yes

19.6.1.2. Anonymous Read/Write

The following smb.conf file shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the read only directive to no. The force user and force group directives are also added to enforce the ownership of any newly placed files specified in the share.

Note

Although having an anonymous read/write server is possible, it is not recommended. Any files placed in the share space, regardless of user, are assigned the user/group combination as specified by a generic user (force user) and group (force group) in the smb.conf file.

[global] 
workgroup = DOCS 
netbios name = DOCS_SRV 
security = share  
[data] 
comment = Data 
path = /export 
force user = docsbot 
force group = users 
read only = No 
guest ok = Yes

19.6.1.3. Anonymous Print Server

The following smb.conf file shows a sample configuration needed to implement an anonymous print server. Setting browseable to no as shown does not list the printer in Windows Network Neighborhood. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to DOCS_SRV using NetBIOS, the client can have access to the printer if the client is also part of the DOCS workgroup. It is also assumed that the client has the correct local printer driver installed, as the use client driver directive is set to Yes. In this case, the Samba server has no responsibility for sharing printer drivers to the client.

[global] 
workgroup = DOCS 
netbios name = DOCS_SRV 
security = share 
printcap name = cups 
disable spools= Yes 
show add printer wizard = No 
printing = cups  
[printers] 
comment = All Printers 
path = /var/spool/samba 
guest ok = Yes 
printable = Yes 
use client driver = Yes 
browseable = Yes

19.6.1.4. Secure Read/Write File and Print Server

The following smb.conf file shows a sample configuration needed to implement a secure read/write print server. Setting the security directive to user forces Samba to authenticate client connections. Notice the [homes] share does not have a force user or force group directive as the [public] share does. The [homes] share uses the authenticated user details for any files created as opposed to the force user and force group in [public].

[global] 
workgroup = DOCS 
netbios name = DOCS_SRV 
security = user 
printcap name = cups 
disable spools = Yes 
show add printer wizard = No 
printing = cups  
[homes] 
comment = Home Directories 
valid users = %S 
read only = No 
browseable = No  
[public] 
comment = Data 
path = /export 
force user = docsbot 
force group = users 
guest ok = Yes  
[printers] 
comment = All Printers 
path = /var/spool/samba 
printer admin = john, ed, @admins 
create mask = 0600 
guest ok = Yes 
printable = Yes 
use client driver = Yes 
browseable = Yes

19.6.2. Domain Member Server

A domain member, while similar to a stand-alone server, is logged into a domain controller (either Windows or Samba) and is subject to the domain's security rules. An example of a domain member server would be a departmental server running Samba that has a machine account on the Primary Domain Controller (PDC). All of the department's clients still authenticate with the PDC, and desktop profiles and all network policy files are included. The difference is that the departmental server has the ability to control printer and network shares.

19.6.2.1. Active Directory Domain Member Server

The following smb.conf file shows a sample configuration needed to implement an Active Directory domain member server. In this example, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos realm parameter is shown in all caps (for example realm = EXAMPLE.COM). Since Windows 2000/2003 requires Kerberos for Active Directory authentication, the realm directive is required. If Active Directory and Kerberos are running on different servers, the password server directive may be required to help the distinction.

[global] 
realm = EXAMPLE.COM 
security = ADS 
encrypt passwords = yes 
# Optional. Use only if Samba cannot determine the Kerberos server automatically. 
password server = kerberos.example.com

In order to join a member server to an Active Directory domain, the following steps must be completed:

  • Configuration of the smb.conf file on the member server

  • Configuration of Kerberos, including the /etc/krb5.conf file, on the member server

  • Creation of the machine account on the Active Directory domain server

  • Association of the member server to the Active Directory domain

To create the machine account and join the Windows 2000/2003 Active Directory, Kerberos must first be initialized for the member server wishing to join the Active Directory domain. To create an administrative Kerberos ticket, type the following command as root on the member server:

kinit [email protected]

The kinit command is a Kerberos initialization script that references the Active Directory administrator account and Kerberos realm. Since Active Directory requires Kerberos tickets, kinit obtains and caches a Kerberos ticket-granting ticket for client/server authentication. For more information on Kerberos, the /etc/krb5.conf file, and the kinit command, refer to Section 42.6, “Kerberos”.

To join an Active Directory server (windows1.example.com), type the following command as root on the member server:

net ads join -S windows1.example.com -U administrator%password

Since the machine windows1 was automatically found in the corresponding Kerberos realm (the kinit command succeeded), the net command connects to the Active Directory server using its required administrator account and password. This creates the appropriate machine account on the Active Directory and grants permissions to the Samba domain member server to join the domain.

Note

Since security = ads and not security = user is used, a local password backend such as smbpasswd is not needed. Older clients that do not support security = ads are authenticated as if security = domain had been set. This change does not affect functionality and allows local users not previously in the domain.

19.6.2.2. Windows NT4-based Domain Member Server

The following smb.conf file shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the smb.conf file simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server.

[global] 
workgroup = DOCS 
netbios name = DOCS_SRV 
security = domain  
[homes] 
comment = Home Directories 
valid users = %S 
read only = No 
browseable = No  
[public] 
comment = Data 
path = /export 
force user = docsbot 
force group = users 
guest ok = Yes

Having Samba as a domain member server can be useful in many situations. There are times where the Samba server can have other uses besides file and printer sharing. It may be beneficial to make Samba a domain member server in instances where Linux-only applications are required for use in the domain environment. Administrators appreciate keeping track of all machines in the domain, even if not Windows-based. In the event the Windows-based server hardware is deprecated, it is quite easy to modify the smb.conf file to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003, the smb.conf file is easily modifiable to incorporate the infrastructure change to Active Directory if needed.

Important

After configuring the smb.conf file, join the domain before starting Samba by typing the following command as root:

net rpc join -U administrator%password

Note that the -S option, which specifies the domain server hostname, does not need to be stated in the net rpc join command. Samba uses the hostname specified by the workgroup directive in the smb.conf file instead of it being stated explicitly.

19.6.3. Domain Controller

A domain controller in Windows NT is functionally similar to a Network Information Service (NIS) server in a Linux environment. Domain controllers and NIS servers both host user/group information databases as well as related services. Domain controllers are mainly used for security, including the authentication of users accessing domain resources. The service that maintains the user/group database integrity is called the Security Account Manager (SAM). The SAM database is stored differently between Windows and Linux Samba-based systems, therefore SAM replication cannot be achieved and platforms cannot be mixed in a PDC/BDC environment.

In a Samba environment, there can be only one PDC and zero or more BDCs.

Important

Samba cannot exist in a mixed Samba/Windows domain controller environment (Samba cannot be a BDC of a Windows PDC or vice versa). Alternatively, Samba PDCs and BDCs can coexist.

19.6.3.1. Primary Domain Controller (PDC) using tdbsam

The simplest and most common implementation of a Samba PDC uses the tdbsam password database backend. Planned to replace the aging smbpasswd backend, tdbsam has numerous improvements that are explained in more detail in Section 19.8, “Samba Account Information Databases”. The passdb backend directive controls which backend is to be used for the PDC.

[global] 
workgroup = DOCS 
netbios name = DOCS_SRV  
passdb backend = tdbsam 
security = user 
add user script = /usr/sbin/useradd -m %u 
delete user script = /usr/sbin/userdel -r %u 
add group script = /usr/sbin/groupadd %g  
delete group script = /usr/sbin/groupdel %g  
add user to group script = /usr/sbin/usermod -G %g %u 
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null  -g machines %u 
# The following specifies the default logon script  
# Per user logon scripts can be specified in the user 
# account using pdbedit logon script = logon.bat 
# This sets the default profile path. 
# Set per user paths with pdbedit 
logon drive = H: 
domain logons = Yes 
os level = 35 
preferred master = Yes 
domain master = Yes  
[homes] 
	comment = Home Directories 
	valid users = %S 
	read only = No  
[netlogon] 
	comment = Network Logon Service 
	path = /var/lib/samba/netlogon/scripts 
	browseable = No	 
	read only = No
# For profiles to work, create a user directory under the 
# path shown. 
mkdir -p /var/lib/samba/profiles/john 
[Profiles] 
	comment = Roaming Profile Share 
	path = /var/lib/samba/profiles 
	read only = No 
	browseable = No 
	guest ok = Yes 
	profile acls = Yes  
# Other resource shares ... ...

Note

If you need more than one domain controller or have more than 250 users, do not use a tdbsam authentication backend. LDAP is recommended in these cases.

19.6.3.2. Primary Domain Controller (PDC) with Active Directory

Although it is possible for Samba to be a member of an Active Directory, it is not possible for Samba to operate as an Active Directory domain controller.