Software >> OS >> Unix >> Linux >> RHEL >> 7 >> RHCE >> Section 7 - SMB

 

Provide network shares to specific clients

 

## Setup and configure the SAMBA server (rhel7server1)

[root@rhel7server1 ~]# yum install -y samba samba-client cifs-utils


## check current selinux context

[root@rhel7server1 ~]# getsebool -a | egrep 'samba_export|samba_share_nfs'
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_share_nfs --> off


## enable and then verify

[root@rhel7server1 ~]# setsebool -P samba_export_all_ro=1

[root@rhel7server1 ~]# setsebool -P samba_export_all_rw=1

[root@rhel7server1 ~]# setsebool -P samba_share_nfs=1


## NOTE - info on the above booleans from RH website


samba_export_all_ro
    Export any file or directory, allowing read-only permissions. This allows files and directories that are not labeled with the samba_share_t type to be shared through Samba. When the samba_export_all_ro Boolean is enabled, but the samba_export_all_rw Boolean is disabled, write access to Samba shares is denied, even if write access is configured in /etc/samba/smb.conf, as well as Linux permissions allowing write access.

samba_export_all_rw
    Export any file or directory, allowing read and write permissions. This allows files and directories that are not labeled with the samba_share_t type to be exported through Samba. Permissions in /etc/samba/smb.conf and Linux permissions must be configured to allow write access.

samba_share_nfs
    Disabling this Boolean prevents smbd from having full access to NFS shares through Samba. Enabling this Boolean will allow Samba to share NFS volumes

Not necessary to set these booleans if we will be setting the SELinux File Context later 


 



[root@rhel7server1 ~]# getsebool -a | egrep 'samba_export|samba_share_nfs'
samba_export_all_ro --> on
samba_export_all_rw --> on
samba_share_nfs --> on


## create the dir and set permission

[root@rhel7server1 samba]# mkdir /sambashare

[root@rhel7server1 samba]# chmod 777 /sambashare


## set SELinux file context and verify that it was set

[root@rhel7server1 samba]# semanage fcontext -at samba_share_t "/sambashare(/.*)?"

[root@rhel7server1 samba]# restorecon -R /sambashare

[root@rhel7server1 samba]# ls -ldZ /sambashare
drwxrwxrwt. root root unconfined_u:object_r:samba_share_t:s0 /sambashare


## check firewalld is running, enable samba service and reload


root@rhel7server1 ~]# firewall-cmd --state
running

[root@rhel7server1 ~]# firewall-cmd --permanent --add-service=samba
success

[root@rhel7server1 ~]# firewall-cmd --reload
success

## edit smb.conf

[root@rhel7server1 ~]# cd /etc/samba

[root@rhel7server1 samba]# vi smb.conf

## edit as follows

[root@rhel7server1 samba]# cat smb.conf
[global]
    workgroup      = MYEXAMPLE
    server string  = 192.168.0.10
    hosts allow    = 127. 192.168.0.20 192.168.0.10
    interfaces     = lo enp0s9 192.168.0.
    passdb backend = smbpasswd
    security       = user
    log file       = /var/log/samba/%m.log
    max log size   = 5000

[sambashare]
    comment        = /sambashare
    browsable      = yes
    path           = /sambashare
    public         = yes
    valid users    = user1
    write list     = user1
    writeable       = yes


## test and validate the configuration

[root@rhel7server1 samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[sambashare]"
Loaded services file OK.
Server role: ROLE_STANDALONE


## add smb password for the desired user
## the smb user must also exist in the server OS
## else smbpasswd -a will fail


[root@rhel7server1 samba]# useradd user1

[root@rhel7server1 samba]# smbpasswd -a user1
New SMB password: ********
Retype new SMB password: ********
Added user user1.

## use pdbedit command - to manage the database of SAMBA users

[root@rhel7server1 samba]# pdbedit -Lv
---------------
Unix username:        user1
NT username:         
Account Flags:        [U          ]
User SID:             S-1-5-21-1456509478-2421905664-3880077485-3006
Primary Group SID:    S-1-5-21-1456509478-2421905664-3880077485-513
Full Name:           
Home Directory:       \rhel7server1\user1
HomeDir Drive:       
Logon Script:        
Profile Path:         \rhel7server1\user1\profile
Domain:               RHEL7SERVER1
Account desc:        
Workstations:        
Munged dial:         
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Sat, 28 Mar 2020 23:56:52 EDT
Password can change:  Sat, 28 Mar 2020 23:56:52 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

## enable SMB service autostart and start it

root@rhel7server1 samba]# systemctl enable smb
Created symlink from /etc/systemd/system/multi-user.target.wants/smb.service to /usr/lib/systemd/system/smb.service.

[root@rhel7server1 samba]# systemctl start smb


## test the share locally in the server itself

[root@rhel7server1 samba]# smbclient -L //localhost -U user1
Enter MYEXAMPLE\user1's password: ********
Domain=[RHEL7SERVER1] OS=[Windows 6.1] Server=[Samba 4.6.2]

    Sharename       Type      Comment
    ---------       ----      -------
    sambashare      Disk      /sambashare
    IPC$            IPC       IPC Service (192.168.0.10)
Domain=[RHEL7SERVER1] OS=[Windows 6.1] Server=[Samba 4.6.2]

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------


## test mount locally in the server
## as root, create the mountpoint and mount the share 


[root@rhel7server1 samba]# mkdir /mnt/sharedrive

[root@rhel7server1 ~]# mount //rhel7server1/sambashare /mnt/sharedrive -t cifs -o username=user1,uid=1001,gid=1001
Password for user1@//rhel7server1/sambashare:  ********

user1@rhel7server1 ~]$ df | grep share
//rhel7server1/sambashare  47265232   8854028  38411204  19% /mnt/sharedrive

## test write the file as user1


[root@rhel7server1 ~]# su - user1

[user1@rhel7server1 ~]$ touch /mnt/sharedrive/user1-file.txt

[user1@rhel7server1 ~]$ ls -ld /mnt/sharedrive/user1-file.txt
-rw-r--r--. 1 user1 user1 0 Mar 29 00:23 /mnt/sharedrive/user1-file.txt

back to Objectives

 

 

 

## Setup and configure the SAMBA Client (rhel7client1)

[root@rhel7client1 ~]# yum install -y samba samba-client cifs-utils

[root@rhel7client1 ~]# mkdir /mnt/sharedrive


## create the user and take note its uid, gid

[root@rhel7client1 ~]# useradd user1

[root@rhel7client1 ~]# passwd user1

[root@rhel7client1 ~]# id user1
uid=1001(user1) gid=1001(user1) groups=1001(user1)


## mount the share with username=user1 option


[root@rhel7client1 ~]# mount //rhel7server1/sambashare /mnt/sharedrive -t cifs -o username=user1,uid=1001,gid=1001
Password for user1@//rhel7server1/sambashare:  ********

## note if you encounter "Unable to find suitable address" error, most likely due to firewall issue.
## make sure you can connect to the server at TCP port 445


[root@rhel7client1 ~]# su - user1

[user1@rhel7client1 ~]$ touch  /mnt/sharedrive/user1-file-from-client.txt

[root@rhel7client1 gdm]# ls -lah /mnt/sharedrive
total 0
drwxr-xr-x. 2 user1 user1  0 Jun 28 12:45 .
drwxr-xr-x. 3 root  root  24 Jun 28 12:44 ..
-rwxr-xr-x. 1 user1 user1  0 Jun 28 12:45 user1-file-from-client.txt
-rwxr-xr-x. 1 user1 user1  0 Jun 28 12:40 user1-file.txt


## ADDITIONAL NOTES on mount.cifs i.e. mount -t cifs behavior
## - To control the effective permission of the mount point, use the dir_mode=mask and file_mode=mask option
##   for example in the above the permission of /mnt/sharedrive was set to drwxr-xr-x after mounting because

##   of the default dir_mode of 0755 and file_mode of 0755
## - Altertively use vers=1.0 option to set it to mount with Unix extensions enabled, in this case it will
##   retain the Unix permissions on the source directory of the share


back to Objectives

 

 

 

Provide network shares suitable for group collaboration

 


### Assuming the SAMBA server (rhel7server1) was already configured as described above

## create users and groups

[root@rhel7server1 services]# groupadd -g 8765 smbgrp

[root@rhel7server1 services]# useradd -g smbgrp -u 8005 user5

[root@rhel7server1 services]# useradd
-g smbgrp -u 8006 user6


## create directory to share, set ownership, permission and selinux context

[root@rhel7server1 services]# mkdir /smbgroup

[root@rhel7server1 services]# chmod 0770 /smbgroup

[root@rhel7server1 services]# chgrp smbgrp /smbgroup

[root@rhel7server1 services]# semanage fcontext -at samba_share_t "/smbgroup(/.*)?"

[root@rhel7server1 services]# restorecon -R /smbgroup

[root@rhel7server1 services]# ls -ldZ /smbgroup
drwxrwx---. root smbgrp unconfined_u:object_r:samba_share_t:s0 /smbgroup

## confirm that firewall already opened for samba service

[root@rhel7server1 services]# firewall-cmd --list-services
ssh dhcpv6-client kerberos dns samba

## edit /etc/samba/smb.conf

[root@rhel7server1 services]# vi /etc/samba/smb.conf

/etc/samba/smb.conf (showing added lines only)

[smbgroup]
   comment              = /smbgroup
   browsable            = yes
   path                 = /smbgroup
   public               = no
   valid users          = @smbgrp
   write list           = @smbgrp
   writable             = yes
   force group          = +smbgrp
   # force file permission
   force create mode    = 0770
   create mask          = 0770
   # force group permission
   force directory mode = 0770
   directory mask       = 0770

## validate the config

[root@rhel7server1 services]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[sambashare]"
Processing section "[smbgroup]"
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions


## create samba password for the users

root@rhel7server1 ~]# smbpasswd -a user5
New SMB password:
Retype new SMB password:
Added user user5.


[root@rhel7server1 ~]# smbpasswd -a user6
New SMB password:
Retype new SMB password:
Added user user6.



## check with pdbedit -Lv if necessary

## test locally in the server


[root@rhel7server1 services]# smbclient -L //localhost -U user5
Enter MYEXAMPLE\user5's password:
Domain=[RHEL7SERVER1] OS=[Windows 6.1] Server=[Samba 4.6.2]

    Sharename       Type      Comment
    ---------       ----      -------
    sambashare      Disk      /sambashare
    IPC$            IPC       IPC Service (192.168.0.10)
    smbgroup        Disk      /smbgroup
Domain=[RHEL7SERVER1] OS=[Windows 6.1] Server=[Samba 4.6.2]

    Server               Comment
    ---------            -------

    Workgroup            Master

    ---------            -------


### Assuming the SAMBA client (rhel7client1) was already configured as described above

## create users and group


[root@rhel7client1 ~]# useradd -u 8005 user5

[root@rhel7client1 ~]# useradd -u 8006 user6

[root@rhel7client1 ~]# groupadd -g 8765 smbgrp

[root@rhel7client1 ~]# usermod -G smbgrp user5

[root@rhel7client1 ~]# usermod -G smbgrp user6


## create mountpoint


[root@rhel7client1 ~]# mkdir /mnt/collaborate


## TEST METHOD 1

## mount and test as user5


[root@rhel7client1 ~]# mount //rhel7server1/smbgroup /mnt/collaborate -t cifs -o username=user5,vers=1.0
Password for user5@//rhel7server1/smbgroup:  ********

[root@rhel7client1 ~]# su - user5

[user5@rhel7client1 ~]$ echo "user5" > /mnt/collaborate/user5-file.txt

[user5@rhel7client1 ~]$ ls -ld /mnt/collaborate/user5-file.txt
-rw-rw----. 1 user5 smbgrp 6 Jun 18 00:24 /mnt/collaborate/user5-file.txt

[user5@rhel7client1 ~]$ exit
logout

[user5@rhel7client1 ~]# umount /mnt/collaborate


## mount and test as user6

[root@rhel7client1 ~]# mount //rhel7server1/smbgroup /mnt/collaborate -t cifs -o username=user6,vers=1.0
Password for user6@//rhel7server1/smbgroup:  ********

[root@rhel7client1 ~]# su - user6

[user6@rhel7client1 ~]$ echo "user6" > /mnt/collaborate/user6-file.txt

[user6@rhel7client1 ~]$ ls -la /mnt/collaborate
total 8
drwxrwx---. 2 root  smbgrp  0 Jun 18 00:25 .
drwxr-xr-x. 6 root  root   74 Jun 18 00:23 ..
-rw-rw----. 1 user5 smbgrp  6 Jun 18 00:24 user5-file.txt
-rw-rw----. 1 user6 smbgrp  6 Jun 18 00:25 user6-file.txt

[user6@rhel7client1 ~]$ cat /mnt/collaborate/user5-file.txt
user5

[user6@rhel7client1 ~]$ cat /mnt/collaborate/user6-file.txt
user6


## ADDITIONAL NOTES on mount.cifs i.e. mount -t cifs behavior
## - To control the effective permission of the mount point, use the dir_mode=mask and file_mode=mask option
##   without them, the mount point will apply
default dir_mode (mask) of 0755 and file_mode (mask) of 0755
## - Altertively use vers=1.0 option to set it to mount with Unix extensions enabled, in this case it will
##   retain the Unix permissions on the source directory of the share


## TEST METHOD 2
## mount as any of the valid users, with password, later when accessing as the user, use cifscreds to authenticate
## to the server


[root@rhel7client1 ~]# mount //rhel7server1/smbgroup /mnt/collaborate -t cifs -o username=user6,password=*******,multiuser,sec=ntlmssp


## connect as user5

[root@rhel7client1 ~]# su - user5
Last login: Wed Jul 28 10:55:17 +08 2021 on pts/1

[user5@rhel7client1 ~]$ cifscreds add rhel7server1
Password: ********

[user5@rhel7client1 ~]$ cd /mnt/collaborate

[user5@rhel7client1 collaborate]$ touch user5file.txt


## connect as user6

[root@rhel7client1 ~]# su - user6
Last login: Wed Jul 28 10:55:17 +08 2021 on pts/1

[user6@rhel7client1 ~]$ cifscreds add rhel7server1
Password: ********

[user6@rhel7client1 ~]$ cd /mnt/collaborate

[user6@rhel7client1 collaborate]$ touch user6file.txt








back to Objectives

 

 


Frequently used parameters in smb.conf

Parameter Scope Examples

admin users

This is a list of users who will be granted administrative privileges on the share. This means that they will do all file operations as the super-user (root).

You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions.

Share Default: admin users =

Example: admin users = jason

browsable | browseable

This controls whether this share is seen in the list of available shares in a net view and in the browse list

Share Default: browseable = yes

Comment

This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via net view to list what shares are available.

If you want to set the string that is displayed next to the machine name then see the server string parameter

Share Default: comment = # No comment

Example: comment = Fred's Files

create mode | create mask

When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created.

The default value of this parameter removes the group and other write and execute bits from the UNIX modes.

Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default.

This parameter does not affect directory masks. See the parameter directory mask for details

Share Default: create mask = 0744

Example: create mask = 0775

directory mode | directory mask

This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.

When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise 'AND'ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a directory. Any bit not set here will be removed from the modes set on a directory when it is created.

The default value of this parameter removes the 'group' and 'other' write bits from the UNIX mode, allowing only the user who owns the directory to modify it.

Following this Samba will bit-wise 'OR' the UNIX mode created from this parameter with the value of the force directory mode parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added)

Share Default: directory mask = 0755

Example: directory mask = 0775

force create mode

This parameter specifies a set of UNIX mode bit permissions that will always be set on a file created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a file that is being created. The default for this parameter is (in octal) 000. The modes in this parameter are bitwise 'OR'ed onto the file mode after the mask set in the create mask parameter is applied.

The example below would force all newly created files to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'.

   

Share Default: force create mode = 0000

Example: force create mode = 0755

force directory mode

This parameter specifies a set of UNIX mode bit permissions that will always be set on a directory created by Samba. This is done by bitwise 'OR'ing these bits onto the mode bits of a directory that is being created. The default for this parameter is (in octal) 0000 which will not add any extra permission bits to a created directory. This operation is done after the mode mask in the parameter directory mask is applied.

The example below would force all created directories to have read and execute permissions set for 'group' and 'other' as well as the read/write/execute bits set for the 'user'.

   

Share Default: force directory mode = 0000

Example: force directory mode = 0755

group | force group

This specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service. This is useful for sharing files by ensuring that all access to files on service will use the named group for their permissions checking. Thus, by assigning permissions for this group to the files and directories within this service the Samba administrator can restrict or allow sharing of these files.

In Samba 2.0.5 and above this parameter has extended functionality in the following way. If the group name listed here has a '+' character prepended to it then the current user accessing the share only has the primary group default assigned to this group if they are already assigned as a member of that group. This allows an administrator to decide that only users who are already in a particular group will create files with group ownership set to that group. This gives a finer granularity of ownership assignment. For example, the setting force group = +sys means that only users who are already in group sys will have their default primary group assigned to sys when accessing this Samba share. All other users will retain their ordinary primary group.

If the force user parameter is also set the group specified in force group will override the primary group set in force user

Share Default: force group =

Example: force group = agroup

force user

This specifies a UNIX user name that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. You should also use it carefully as using it incorrectly can cause security problems.

This user name only gets used once a connection is established. Thus clients still need to connect as a valid user and supply a valid password. Once connected, all file operations will be performed as the "forced user", no matter what username the client connected as. This can be very useful.

In Samba 2.0.5 and above this parameter also causes the primary group of the forced user to be used as the primary group for all file activity. Prior to 2.0.5 the primary group was left as the primary group of the connecting user (this was a bug)

Share Default: force user =

Example: force user = auser

guest account

This is a username which will be used for access to services which are specified as guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. This user must exist in the password file, but does not require a valid login. The user account "ftp" is often a good choice for this parameter.

On some systems the default guest account "nobody" may not be able to print. Use another account in this case. You should test this by trying to log in as your guest user (perhaps by using the su - command) and trying to print using the system print command such as lpr(1) or lp(1).

This parameter does not accept % macros, because many parts of the system require this value to be constant for correct operation

Global Default: guest account = nobody # default can be changed at compile-time

Example: guest account = ftp

guest ok | public

If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account.

This parameter nullifies the benefits of setting restrict anonymous = 2

See the section below on security for more information about this option

Share Default: guest ok = no

Example: guest ok = yes
 

guest only | only guest

If this parameter is yes for a service, then only guest connections to the service are permitted. This parameter will have no effect if guest ok is not set for the service.

See the section below on security for more information about this option.

Share

Default: guest only = no

Example: guest only = yes

hostname lookups

Specifies whether samba should use (expensive) hostname lookups or use the ip addresses instead. An example place where hostname lookups are currently used is when checking the hosts deny and hosts allow.

Global Default: hostname lookups = no

Example: hostname lookups = yes

hosts allow | allow hosts

This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service.

If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting.

You can specify the hosts by name or IP number. For example, you could restrict access to only the hosts on a Class C subnet with something like allow hosts = 150.203.5.. The full syntax of the list is described in the man page hosts_access(5). Note that this man page may not be present on your system, so a brief description will be given here also.

Note that the localhost address 127.0.0.1 will always be allowed access unless specifically denied by a hosts deny option.

You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The EXCEPT keyword can also be used to limit a wildcard list. The following examples may provide some help

Share Example 1: allow all IPs in 150.203.*.*; except one

hosts allow = 150.203. EXCEPT 150.203.6.66

Example 2: allow hosts that match the given network/netmask

hosts allow = 150.203.15.0/255.255.255.0

Example 3: allow a couple of hosts

hosts allow = lapland, arvidsjaur

Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host

hosts allow = @foonet

hosts deny = pirate

hosts deny | deny hosts

The opposite of hosts allow - hosts listed here are NOT permitted access to services unless the specific services have their own lists to override this one. Where the lists conflict, the allow list takes precedence.

In the event that it is necessary to deny all by default, use the keyword ALL (or the netmask 0.0.0.0/0) and then explicitly specify to the hosts allow = hosts allow parameter those hosts that should be permitted access

Share Default: hosts deny = # none (i.e., no hosts specifically excluded)

Example: hosts deny = 150.203.4. badhost.mynet.edu.au

Invalid users

This is a list of users that should not be allowed to login to this service. This is really a paranoid check to absolutely ensure an improper setting does not breach your security.

A name starting with a '@' is interpreted as an NIS netgroup first (if your system supports NIS), and then as a UNIX group if the name was not found in the NIS netgroup database.

A name starting with '+' is interpreted only by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with '&' is interpreted only by looking in the NIS netgroup database (this requires NIS to be working on your system). The characters '+' and '&' may be used at the start of the name in either order so the value +&group means check the UNIX group database, followed by the NIS netgroup database, and the value &+group means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix).

The current servicename is substituted for %S. This is useful in the [homes] section.

Share Default: invalid users = # no invalid users

Example: invalid users = root fred admin @wheel

netbios name

This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component of the host's DNS name. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under.

Note that the maximum length for a NetBIOS name is 15 characters

Global Default: netbios name = # machine DNS name

Example: netbios name = MYNAME

passdb backend

This option allows the administrator to chose which backend will be used for storing user and possibly group information. This allows you to swap between different storage mechanisms without recompile.

The parameter value is divided into two parts, the backend's name, and a 'location' string that has meaning only to that particular backed. These are separated by a : character.

Available backends can include:

  • smbpasswd - The old plaintext passdb backend. Some Samba features will not work if this passdb backend is used. Takes a path to the smbpasswd file as an optional argument.
  • tdbsam - The TDB based password storage backend. Takes a path to the TDB as an optional argument (defaults to passdb.tdb in the private dir directory.
  • ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an optional argument (defaults to ldap://localhost)

LDAP connections should be secured where possible. This may be done using either Start-TLS (see ldap ssl) or by specifying ldaps:// in the URL argument.

Multiple servers may also be specified in double-quotes. Whether multiple servers are supported or not and the exact syntax depends on the LDAP library you use

Global

Default: passdb backend = tdbsam

Examples:

passdb backend = tdbsam:/etc/samba/private/passdb.tdb

or multi server LDAP URL with OpenLDAP library:

passdb backend = ldapsam:"ldap://ldap-1.example.com ldap://ldap-2.example.com"

or multi server LDAP URL with Netscape based LDAP library:

passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"

path | directory

This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing.

For a printable service offering guest access, the service should be readonly and the path should be world-writeable and have the sticky bit set. This is not mandatory of course, but you probably won't get the results you expect if you do otherwise.

Any occurrences of %u in the path will be replaced with the UNIX username that the client is using on this connection. Any occurrences of %m will be replaced by the NetBIOS name of the machine they are connecting from. These replacements are very useful for setting up pseudo home directories for users.

Note that this path will be based on root dir if one was specified

Share Default: path =

Example: path = /home/fred

read only

    An inverted synonym is writeable.

yes => CANNOT create or modify
no => can create or modify

    If this parameter is yes, then users of a service may not create or modify files in the service's directory.

    Note that a printable service (printable = yes) will ALWAYS allow writing to the directory (user privileges permitting), but only via spooling operations.

 

Share

Default: read only = yes

Example: read only = yes

security

This option affects how clients respond to Samba and is one of the most important settings in the smb.conf file.

The default is security = user, as this is the most common setting, used for a standalone file server or a DC.

The alternatives are security = ads or security = domain , which support joining Samba to a Windows domain

You should use security = user and map to guest if you want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server.

The different settings will now be explained.

SECURITY = AUTO

This is the default security setting in Samba, and causes Samba to consult the server role parameter (if set) to determine the security mode.

SECURITY = USER

If server role is not specified, this is the default security setting in Samba. With user-level security a client must first "log-on" with a valid username and password (which can be mapped using the username map parameter). Encrypted passwords (see the encrypted passwords parameter) can also be used in this security mode. Parameters such as user and guest only if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated.

Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the guest account. See the map to guest parameter for details on doing this.

SECURITY = DOMAIN

This mode will only work correctly if net(8) has been used to add this machine into a Windows NT Domain. It expects the encrypted passwords parameter to be set to yes. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly the same way that a Windows NT Server would do.

Note that a valid UNIX user must still exist as well as the account on the Domain Controller to allow Samba to have a valid UNIX account to map file access to.

Note that from the client's point of view security = domain is the same as security = user. It only affects how the server deals with the authentication, it does not in any way affect what the client sees.

Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don't work in user level security without allowing the server to automatically map unknown users into the guest account. See the map to guest parameter for details on doing this.

See also the password server parameter and the encrypted passwords parameter.

SECURITY = ADS

In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility.

Note that this mode does NOT make Samba operate as a Active Directory Domain Controller.

Note that this forces require strong key = yes and client schannel = yes for the primary domain.

Global Default: security = AUTO

Example: security = user

smb passwd file

This option sets the path to the encrypted smbpasswd file. By default the path to the smbpasswd file is compiled into Samba

Global

Default: smb passwd file = ${prefix}/private/smbpasswd

Example: smb passwd file = /etc/samba/smbpasswd

 

smb ports

Specifies which ports the server should listen on for SMB traffic.

Global

Default: smb ports = 445 139

Example: smb ports = 445 139

valid users

 This is a list of users that should be allowed to login to this service. Names starting with '@', '+' and '&' are interpreted using the same rules as described in the invalid users parameter.

If this is empty (the default) then any user can login. If a username is in both this list and the invalid users list then access is denied for that user.

The current servicename is substituted for %S. This is useful in the [homes] section.

Note: When used in the [global] section this parameter may have unwanted side effects. For example: If samba is configured as a MASTER BROWSER (see local master, os level, domain master, preferred master) this option will prevent workstations from being able to browse the network.

Share Default: valid users = # No valid users list (anyone can login)

Example: valid users = greg, @pcusers

workgroup

This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security = domain setting

Global Default: workgroup = WORKGROUP

Example: workgroup = MYGROUP

writable | write ok | writeable

    Inverted synonym for read only.

    Default: writeable = no

yes => CAN create or modify
no => cannot create or modify

    If this parameter is yes, then users of a service may not create or modify files in the service's directory.

Share

Default: writeable = no

Example: writeable = yes

write list

This is a list of users that are given read-write access to a service. If the connecting user is in this list then they will be given write access, no matter what the read only option is set to. The list can include group names using the @group syntax.

Note that if a user is in both the read list and the write list then they will be given write access.

Share Default: write list =

Example: write list = admin, root, @staff

 

References

  1. https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
  2. Samba.org