Configuring SAMBA

You may configure the SAMBA server by editing the /etc/samba/smb.conf file to change the default settings or add new settings. More information about each setting is available in the comments of the /etc/samba/smb.conf file or by viewing the /etc/samba/smb.conf manual page from the prompt with the following command typed at a terminal prompt:

man smb.conf

[Tip]

Prior to editing the configuration file, you should make a copy of the original file and protect it from writing so you will have the original settings as a reference and to re-use as necessary.

Backup the /etc/samba/smb.conf file:

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.original

Now, edit the /etc/samba/smb.conf file and make your changes.

Server

In addition to the SAMBA suite of file and printer sharing server applications, Ubuntu also includes other powerful server applications designed to provide additional network server functionality to Windows clients similar to the functionality provided by actual Windows servers. For example, Ubuntu offers centralized management of network resources such as computers and users via Directory Services, and facilitates the identification, and authorization of computers and users via Authentication Services.

The following sections will discuss SAMBA and the supporting technologies, such as Lightweight Directory Access Protocol (LDAP) server, and Kerberos authentication server in more detail. You will also learn about some of the available configuration directives available the SAMBA configuration file which facilitate network integration with Windows clients and servers.

Active Directory

Active Directory is a proprietary implementation of Directory Services by Microsoft, and is used to provide a means to share information about network resources and users. In addition to providing a centralized source of such information, Active Directory also acts as a centralized authentication security authority for the network. Active directory combines capabilities traditionally found in separate, specialized directory systems to simplify integration, management, and security of network resources. The SAMBA package may be configured to use Active Directory services from a Windows Domain Controller.

LDAP

The LDAP server application provides Directory Services functionality to Windows computers in a manner very similar to Microsoft Active Directory services. Such services include managing the identities and relationships of computers, users, and groups of computers or users that participate in the network, and providing a consistent means to describe, locate, and manage these resources. The freely available implementation of LDAP available for your Ubuntu system is called OpenLDAP. The server daemons responsible for handling OpenLDAP directory requests and the propagation of directory data from one LDAP server to another on Ubuntu, are slapd and slurpd. OpenLDAP may be used in conjunction with SAMBA to provide File, Print, and Directory services in much the same way a Windows Domain Controller does so long as SAMBA is compiled with LDAP support.

Kerberos

The Kerberos authentication security system is a standardized service for providing authentication to computers and users by means of a centralized server which grants encrypted authorization tickets accepted for authorization by any other computer using Kerberos. Benefits of Kerberos authentication include mutual authentication, delegated authentication, interoperability, and simplified trust management. The primary server daemons for handling the Kerberos authentication and Kerberos database administration on Ubuntu are krb5kdc and kadmin. SAMBA may use Kerberos as a mechanism for authenticating computers and users against a Windows Domain Controller. To do so, the Ubuntu system must have Kerberos installed, and the /etc/samba/smb.conf must be modified to select the the proper realm and security mode. For example, edit the /etc/samba/smb.conf file and add the values:

realm = DOMAIN_NAME

security = ADS

to the file, and save the file.

[Tip]

Be sure to replace the token DOMAIN_NAME in the example above with the actual name of your specific Windows Domain.

You will need to restart the SAMBA daemons to effect these changes. Restart the SAMBA daemons with the following command entered at a terminal prompt:

sudo /etc/init.d/samba restart

Computer Accounts

Computer Accounts are used in Directory Services to uniquely identify computer systems participating in a network, and are even treated in the same manner as users in terms of security. Computer accounts may have passwords just as user accounts do, and are subject to authorization to network resources in the same manner as user accounts. For example, if a network user, with a valid account for a particular network attempts to authenticate with a network resource from a computer which does not have a valid computer account, depending upon policies enforced on the network, the user may be denied access to the resource if the computer the user is attempting authentication from is considered to be an unauthorized computer.

A computer account may be added to the SAMBA password file, provided the name of the computer being added exists as a valid user account in the local password database first. The syntax for adding a computer or machine account to the SAMBA password file is to use the smbpasswd command from a terminal prompt as follows:

sudo smbpasswd -a -m COMPUTER_NAME

[Tip]

Be sure to replace the token COMPUTER_NAME in the example above with the actual name of the specific computer you wish to add a machine account for.

File Permissions

File Permissions define the explicit rights a computer or user has to a particular directory, file, or set of files. Such permissions may be defined by editing the /etc/samba/smb.conf file and specifying the explicit permissions of a defined file share. For example, if you have defined a SAMBA share called sourcedocs and wish to give read-only permissions to the group of users known as planning, but wanted to allow writing to the share by the group called authors and the user named richard, then you could edit the /etc/samba/smb.conf file, and add the following entries under the [sourcedocs] entry:

read list = @planning

write list = @authors, richard

Save the /etc/samba/smb.conf for the changes to take effect.

Another possible permission is to declare administrative permissions to a particular shared resource. Users having administrative permissions may read, write, or modify any information contained in the resource the user has been given explicit administrative permissions to. For example, if you wanted to give the user melissa administrative permissions to the example sourcedocs share, you would edit the /etc/samba/smb.conf file, and add the following line under the [sourcedocs] entry:

admin users = melissa

Save the /etc/samba/smb.conf for the changes to take effect.

Clients

Ubuntu includes client applications and capabilities for accessing network resources shared with the SMB protocol. For example, a utility called smbclient allows for accessing remote shared file-systems, in a manner similar to a File Transfer Protocol (FTP) client. To access a shared folder resource known as documents offered by a remote Windows computer named bill using smbclient for example, one would enter a command similar to the following at the prompt:

smbclient //bill/documents -U <username>

You will then be prompted for the password for the user name specified after the -U switch, and upon successful authentication, will be presented with a prompt where commands may be entered for manipulating and transferring files in a syntax similar to that used by non-graphical FTP clients. For more information on the smbclient utility, read the utility's manual page with the command:

man smbclient

Local mounting of remote network resources using the SMB protocol is also possible using the smbfs program.

To mount a shared folder named project-code on a Windows server named development as the user dlightman to your Ubuntu system's /mnt/pcode mount-point (the mountpoint you choose should be an empty folder), you would issue this command at the prompt:

sudo mount -t smbfs -o username=dlightman //development/project-code /mnt/pcode

You will then be prompted for the user password, and after successfully authenticating, the contents of the shared resource will be available locally via the mount-point specified as the last argument to the mount command. To disconnect the shared resource, simply use the umount command as you would with any other mounted file system. For example:

sudo umount /mnt/pcode

User Accounts

User Accounts define persons with some level of authorization to use certain computer and network resources. Typically, in a network environment, a user account is provided to each person allowed to access a computer or network, where policies and permissions then define what explicit rights that user account has access to. To define SAMBA network users for your Ubuntu system, you may use the smbpasswd command. For example to add a SAMBA user to your Ubuntu system with the user name jseinfeld, you would enter this command at the prompt:

sudo smbpasswd -a jseinfeld

The smbpasswd application will then prompt you to enter a password for the user:

New SMB password:

Enter the password you wish to set for the user, and the smbpasswd application will ask you to confirm the password:

Retype new SMB password:

Confirm the password, and smbpasswd will add the entry for the user to the SAMBA password file.

Groups

Groups define a collection of computers or users which have a common level of access to particular network resources and offer a level of granularity in controlling access to such resources. For example, if a group qa is defined and contains the users freda, danika, and rob and a second group support is defined and consists of users danika, jeremy, and vincent then certain network resources configured to allow access by the qa group will subsequently enable access by freda, danika, and rob, but not jeremy or vincent. Since the user danika belongs to both the qa and support groups, she will be able to access resources configured for access by both groups, whereas all other users will have only access to resources explicitly allowing the group they are part of.

When defining groups in the SAMBA configuration file, /etc/samba/smb.conf the recognized syntax is to preface the group name with an "@" symbol. For example, if you wished to define a group named sysadmin in a certain section of the /etc/samba/smb.conf, you would do so by entering the group name as @sysadmin.

Group Policy

Group Policy defines certain SAMBA configuration settings pertaining to the Domain or Workgroup computer accounts belong to, and other global settings for the SAMBA server. For example, if the SAMBA server belongs to a Workgroup of Windows computers called LEVELONE, then the /etc/samba/smb.conf could be edited, and the following value changed accordingly:

workgroup = LEVELONE

Save the file and restart the SAMBA daemons to affect the change.

Other important global policy settings include the server string which defines the NETBIOS server name reported by your Ubuntu system to other machines on the Windows-based network. This is the name your Ubuntu system will be recognized as by Windows clients and other computers capable of browsing the network with the SMB protocol. Additionally, you may specify the name and location of the SAMBA server's log file by using the log file directive in the /etc/samba/smb.conf file.

Some of the additional directives governing global group policy include specification of the global nature of all shared resources. For example, placing certain directives under the [global] heading of the /etc/samba/smb.conf file will affect all shared resources unless an overriding directive is placed under a particular shared resource heading. You specify all shares are browseable by all clients on the network by placing a browseable directive, which takes a Boolean argument, under the [global] heading in the /etc/samba/smb.conf. That is, if you edit the file and add the line:

browseable = true

under the [global] section of /etc/samba/smb.conf, then all shares provided by your Ubuntu system via SAMBA will be browseable by all authorized clients, unless a specific share contains a browseable = false directive, which will override the global directive.

Other examples which work in a similar manner, are the public and writeable directives. The public directive accepts a Boolean value and decides whether a particular shared resource is visible by all clients, authorized or not. The writeable directive also takes a Boolean value and defines whether a particular shared resource is writable by any and all network clients.