These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX02/SAMBA Configuration

Classnotes | UNIX02 | RecentChanges | Preferences

Samba's configuration file is called smb.conf, which will be located in /etc/samba on most systems (including Red Hat) but which may be in /usr/local/samba/lib/ on other UNIX systems (or when built from source).

There is a web-based configuration program for smb.conf called [swat]. It can make configuration of smb.conf trivial, however it can also be a very serious security concern (as are all web-based administrative programs). Because of this, we will only mention it and not go into its use. Once you grasp the fundimentals taught here, using swat will be very straight forward. If you really want to use swat to configure a SAMBA server, then do not leave swat enabled once you place the server into production!

The smb.conf file consists of sections and parameters. A section begins with the name of the section in square brackets and continues until the next section begins. Sections contain parameters of the form

 name = value

The file is line-based - that is, each newline-terminated line represents either a comment, a section name or a parameter.

Section and parameter names are not case sensitive.

Only the first equals sign in a parameter is significant. Whitespace before or after the first equals sign is discarded. Leading, trailing and internal whitespace in section and parameter names is irrelevant. Leading and trailing whitespace in a parameter value is discarded. Internal whitespace within a parameter value is retained verbatim.

Any line beginning with a semicolon (';') or a hash ('#') character is ignored, as are lines containing only whitespace.

Any line ending in a '\' is continued on the next line in the customary UNIX fashion.

The values following the equals sign in parameters are all either a string (no quotes needed) or a boolean, which may be given as yes/no, 0/1 or true/false. Case is not significant in boolean values, but is preserved in string values. Some items such as create modes are numeric.

smb.conf under Red Hat

As with most other configuration files under Red Hat, the default smb.conf file is very well documented and includes some reasonable defaults.

Take a look at your smb.conf file as we explore some of the initial settings:


 # workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = MYGROUP

 # server string is the equivalent of the NT Description field
   server string = Samba Server

The smb.conf file begins with a "global" section. Items in the global section apply to all sections. The first two entries we see deal with the workgroup name and descriptive text of the SAMBA server.

 ;   hosts allow = 192.168.1. 192.168.2. 127.

If we were to uncomment this and modify these settings, we could restrict access to this SAMBA server to very specific hosts.

 # You may wish to use password encryption. Please read
 # ENCRYPTION.txt, Win95.txt and WinNT?.txt in the Samba
 # documentation.
 # Do not enable this option unless you have read those documents
   encrypt passwords = yes

On some of the Windows operating systems (especially earlier and unpatched Windows 95, 98, and NT) passwords are sent to SMB servers as plain-text. Such a practice is prone to "man-in-the-middle" attacks. If you are working with older, unpatched Windows machines, then you may wish to set this to "no". However, for any reasonably modern Windows OS, you will want to leave this set to "yes".

   unix password sync = Yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Something-Quite-Long-Indeed*

This section of the configuration file allows for Windows clients to change their password and have this change be reflected in their UNIX accounts. It can be a security risk, and should be used with caution.

After the global section you can place other sections for individual shares and printers. Red Hat kindly includes several examples, such as the following:

 # A publicly accessible directory, but read only, except for people in
 # the "staff" group
 ;   comment = Public Stuff
 ;   path = /home/samba
 ;   public = yes
 ;   writable = yes
 ;   printable = no
 ;   write list = @staff

 # A private directory, usable only by fred. Note that fred requires write
 # access to the directory.
 ;   comment = Fred's Service
 ;   path = /usr/somewhere/private
 ;   valid users = fred
 ;   public = no
 ;   writable = yes
 ;   printable = no

Here is a real-world example of a situation where a particular office has a SAMBA share which everyone in that office must have read and write access to, but which is not publically browsable:

        path = /home/office_users/main_office
        read only = No
        public = No
        writable = yes
        browsable = yes
        only user = no

        # Let's make sure that no one can change group ownership
        map system = true
        create mask = 770

But what is this 'create mask'? In this situation, we do not want an errant Windows application modifying a file in this share and changing write permissions to that file. We want the files to always be readable and writable by their owner and their group owner. The 'create mask' is a mask which each write operation performed on the SAMBA share is bitwise OR'ed with. A mask of '770' prohibits the application from changing the owner and group owner permissions.

Classnotes | UNIX02 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited August 30, 2003 4:38 pm (diff)
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.