A samba server in SUSE® Linux Enterprise can be configured in two different ways: with YaST or manually. Manual configuration offers a higher level of detail, but lacks the convenience of the YaST GUI.
To configure a Samba server, start YaST and select
+ . When starting the module for the first time, the dialog starts, prompting you to make just a few basic decisions concerning administration of the server then at the end of the configuration prompts for the password of Samba root. For later starts, the dialog appears.The
dialog consists of two steps:Select an existing name from
or enter a new one and click .In the next step, specify whether your server should act as PDC and click
.You can change all settings from
later in the dialog with the tab.During first start of Samba server module the
dialog appears directly after dialog. Use it to adjust your Samba server configuration.After editing your configuration, click
to close the configuration.In the Section 38.2, “Starting and Stopping Samba”.
tab, configure the start of the Samba server. To start the service every time your system boots, select . To activate manual start, choose . More information about starting a Samba server is provided inIn this tab, you can also open ports in your firewall. To do so, select
. If you have multiple network interfaces, select the network interface for Samba services by clicking , selecting the interfaces, and clicking .In the
tab, determine the Samba shares to activate. There are some predefined shares, like homes and printers. Use to switch between and . Click to add new shares and to delete the selected share.In the for example LDAP, click .
tab, you can determine the domain with which the host is associated ( ) and whether to use an alternative hostname in the network ( ). To set expert global settings or set user authentication,To enable users from other domains to access your domain, make the appropriate settings in the
tab. To add a new domain, click . To remove the selected domain, click .In the tab
, you can determine the LDAP server to use for authentication. To test the connection to your LDAP server, click . To set expert LDAP settings or use default values, click .Find more information about LDAP configuration in Chapter 37, LDAP—A Directory Service.
An alterative tool for Samba server administration is SWAT (Samba Web
Administration Tool).
It provides a simple Web interface with which to configure the
Samba server. To use SWAT,
open http://localhost:901 in a Web browser and log in as
user root
.
If you do not have a special Samba root account, use the system
root
account.
![]() | Activating SWAT |
---|---|
After Samba server installation, SWAT is not activated. To activate it, open + in YaST, enable the network services configuration, select from the table, and click . |
If you intend to use Samba as a server,
install samba
.
The main configuration file of Samba is
/etc/samba/smb.conf
. This file can be divided into two
logical parts. The [global]
section contains the central
and global settings. The [share]
sections contain the
individual file and printer shares. By means of this approach, details
regarding the shares can be set differently or globally in the
[global]
section, which enhances the structural
transparency of the configuration file.
The following parameters of the [global]
section
need some adjustment to match the requirements of your network setup so
other machines can access your Samba server via
SMB in a Windows environment.
This line assigns the Samba server to a
workgroup. Replace TUX-NET
with an
appropriate workgroup of your networking environment. Your
Samba server appears under its DNS name
unless this name has been assigned to any other machine in the
network. If the DNS name is not available, set the server name using
netbiosname=MYNAME
. See
mansmb.conf
for more details about
this parameter.
This parameter triggers whether your
Samba server tries to become LMB (local
master browser) for its workgroup. Choose a very low value to
spare the existing Windows network from any disturbances caused by a
misconfigured Samba server. More information
about this important topic can be found in the files
BROWSING.txt
and
BROWSING-Config.txt
under the
textdocs
subdirectory of the package
documentation.
If no other SMB server is present in your network (such as a Windows NT
or 2000 server) and you want the Samba
server to keep a list of all systems present in the local environment,
set the os level
to a higher value (for example,
65
). Your Samba server
is then chosen as LMB for your local network.
When changing this setting, consider carefully how this could affect an existing Windows network environment. First test the changes in an isolated network or at a noncritical time of day.
To integrate your Samba
server into an existing Windows network with an active WINS server,
enable the wins server
option and set its value
to the IP address of that WINS server.
If your Windows machines are connected to separate subnets and
should still be aware of each other, you need to set up a WINS server.
To turn a Samba server into such a WINS
server, set the option wins support = Yes
. Make sure
that only one Samba server of the network has
this setting enabled.
The options wins server
and wins
support
must never be enabled at the same time in your
smb.conf
file.
The following examples illustrate how a CD-ROM drive and the user
directories (homes
) are made available to
the SMB clients.
To avoid having the CD-ROM drive accidentally made available, these lines are deactivated with comment marks (semicolons in this case). Remove the semicolons in the first column to share the CD-ROM drive with Samba.
[cdrom]
and comment
The entry [cdrom]
is the name of the share
that can be seen by all SMB clients on the network. An additional
comment
can be added to further describe the
share.
path = /media/cdrom
path
exports the directory
/media/cdrom
.
By means of a very restrictive default configuration, this kind of
share is only made available to the users present on this system. If
this share should be made available to everybody, add a line
guest ok = yes
to the configuration. This setting
gives read permissions to anyone on the network. It is recommended to
handle this parameter with great care. This applies even more to the use
of this parameter in the [global]
section.
[homes]
The [home]
share is of special
importance here. If the user has a valid account and password for the
Linux file server and his own home directory, he can be connected to
it.
Example 38.2. homes Share
[homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0640 directory mask = 0750
As long as there is no other share using the share name of the
user connecting to the SMB server, a share is dynamically generated
using the [homes]
share directives. The resulting
name of the share is the username.
valid users = %S
%S
is replaced with the concrete name of the
share as soon as a connection has been successfully established. For
a [homes]
share, this is always the
username. As a consequence, access rights to a user's share
are restricted exclusively to the user.
browseable = No
This setting makes the share invisible in the network environment.
read only = No
By default, Samba prohibits write
access to any exported share by means of the read only =
Yes
parameter. To make a share writable, set the value
read only = No
, which is synonymous with
writable = Yes
.
create mask = 0640
Systems that are not based on MS Windows NT do not understand
the concept of UNIX permissions, so they cannot assign permissions
when creating a file. The parameter create mask
defines the access permissions assigned to newly created files. This
only applies to writable shares. In effect, this setting means the
owner has read and write permissions and the members of the owner's
primary group have read permissions. valid users =
%S
prevents read access even if the group has read
permissions. For the group to have read or write
access, deactivate the line valid users = %S
.
To improve security, each share access can be protected with a password. SMB has three possible ways of checking the permissions:
A password is firmly assigned to a share. Everyone who knows this password has access to that share.
This variation introduces the concept of the user to SMB. Each user must register with the server with his own password. After registration, the server can grant access to individual exported shares dependent on usernames.
To its clients, Samba pretends to be
working in user level mode. However, it passes all password queries to
another user level mode server, which takes care of authentication. This
setting expects an additional parameter (password
server
).
The selection of share, user, or server level security applies to the entire server. It is not possible to offer individual shares of a server configuration with share level security and others with user level security. However, you can run a separate Samba server for each configured IP address on a system.
More information about this subject can be found in the Samba HOWTO
Collection. For multiple servers on one system, pay attention to
the options interfaces
and bind interfaces
only
.