A Samba server in openSUSE® can be configured in two different ways: with YaST or manually. Manual configuration offers a higher level of detail, but lacks the convenience of the YaST GUI.
To configure a Samba server, start YaST and select +.
When starting the module for the first time, the dialog starts, prompting you to make just a few basic decisions concerning administration of the server then at the end of the configuration prompts for the password of Samba root. For later starts, the dialog appears.
The dialog consists of two steps and optional detailed settings:
- Workgroup or Domain Name
Select an existing name from or enter a new one and click .
- Samba Server Type
In the next step, specify whether your server should act as CD (PDC) and click .
- Start-Up
Select whether you want to start Samba or and click . Then in the final popup box, set the .
You can change all settings later in the dialog with the , , and tabs.
During the first start of the Samba server module the dialog appears directly after the two initial steps described in Section 27.4.1.1, “Initial Samba Configuration”. Use it to adjust your Samba server configuration.
After editing your configuration, click to save your settings.
In the tab, configure the start of the Samba server. To start the service every time your system boots, select . To activate manual start, choose . More information about starting a Samba server is provided in Section 27.3, “Starting and Stopping Samba”.
In this tab, you can also open ports in your firewall. To do so, select . If you have multiple network interfaces, select the network interface for Samba services by clicking , selecting the interfaces, and clicking .
In the tab, determine the Samba shares to activate. There are some predefined shares, like homes and printers. Use to switch between and . Click to add new shares and to delete the selected share.
enables
members of the group in to share
directories they own with other users. For example,
users for a local scope or
DOMAIN\Users for a domain scope. The user
also must make sure that the file system permissions allow access.
With , limit the total
amount of shares that may be created. To permit access to user shares
without authentication, enable .
In the tab, you can determine the domain with which the host is associated () and whether to use an alternative hostname in the network (). It is also possible to use Microsoft Windows Internet Name Service (WINS) for name resolution. In this case, activate and decide whether to . To set expert global settings or set user authentication, click .
An alternative tool for Samba server administration is SWAT
(Samba Web Administration Tool). It provides a simple Web interface with
which to configure the Samba server. To use SWAT, open
http://localhost:901 in a Web browser and log in as user
root. If you do not have a
special Samba root account, use the system
root account.
![[Note]](admon/note.png) | Activating SWAT |
|---|---|
After Samba server installation, SWAT is not activated. To activate it, open + in YaST, enable the network services configuration, select from the table, and click . | |
If you intend to use Samba as a server, install
samba. The main
configuration file of Samba is /etc/samba/smb.conf.
This file can be divided into two logical parts. The
[global] section contains the central and global
settings. The [share] sections contain the individual
file and printer shares. By means of this approach, details regarding
the shares can be set differently or globally in the
[global] section, which enhances the structural
transparency of the configuration file.
The following parameters of the [global] section
need some adjustment to match the requirements of your network setup so
other machines can access your Samba server via SMB in a Windows
environment.
- workgroup = TUX-NET
This line assigns the Samba server to a workgroup. Replace
TUX-NETwith an appropriate workgroup of your networking environment. Your Samba server appears under its DNS name unless this name has been assigned to some other machine in the network. If the DNS name is not available, set the server name usingnetbiosname=. For more details about this parameter, see theMYNAMEsmb.confman page.- os level = 2
This parameter triggers whether your Samba server tries to become LMB (local master browser) for its workgroup. Choose a very low value to spare the existing Windows network from any disturbances caused by a misconfigured Samba server. More information about this important topic can be found in the files
BROWSING.txtandBROWSING-Config.txtunder thetextdocssubdirectory of the package documentation.If no other SMB server is present in your network (such as a Windows 2000 server) and you want the Samba server to keep a list of all systems present in the local environment, set the
os levelto a higher value (for example,65). Your Samba server is then chosen as LMB for your local network.When changing this setting, consider carefully how this could affect an existing Windows network environment. First test the changes in an isolated network or at a noncritical time of day.
- wins support and wins server
To integrate your Samba server into an existing Windows network with an active WINS server, enable the
wins serveroption and set its value to the IP address of that WINS server.If your Windows machines are connected to separate subnets and need to still be aware of each other, you need to set up a WINS server. To turn a Samba server into such a WINS server, set the option
wins support = Yes. Make sure that only one Samba server of the network has this setting enabled. The optionswins serverandwins supportmust never be enabled at the same time in yoursmb.conffile.
The following examples illustrate how a CD-ROM drive and the user
directories (homes) are made available to the SMB
clients.
- [cdrom]
To avoid having the CD-ROM drive accidentally made available, these lines are deactivated with comment marks (semicolons in this case). Remove the semicolons in the first column to share the CD-ROM drive with Samba.
Example 27.1. A CD-ROM Share (deactivated)
;[cdrom] ; comment = Linux CD-ROM ; path = /media/cdrom ; locking = No
[cdrom]andcommentThe entry
[cdrom]is the name of the share that can be seen by all SMB clients on the network. An additionalcommentcan be added to further describe the share.path = /media/cdrompathexports the directory/media/cdrom.
By means of a very restrictive default configuration, this kind of share is only made available to the users present on this system. If this share should be made available to everybody, add a line
guest ok = yesto the configuration. This setting gives read permissions to anyone on the network. It is recommended to handle this parameter with great care. This applies even more to the use of this parameter in the[global]section.[homes]The
[homes]share is of special importance here. If the user has a valid account and password for the Linux file server and his own home directory, he can be connected to it.Example 27.2. homes Share
[homes] comment = Home Directories valid users = %S browseable = No read only = No create mask = 0640 directory mask = 0750
- [homes]
As long as there is no other share using the share name of the user connecting to the SMB server, a share is dynamically generated using the
[homes]share directives. The resulting name of the share is the username.valid users = %S%Sis replaced with the concrete name of the share as soon as a connection has been successfully established. For a[homes]share, this is always the username. As a consequence, access rights to a user's share are restricted exclusively to that user.browseable = NoThis setting makes the share invisible in the network environment.
read only = NoBy default, Samba prohibits write access to any exported share by means of the
read only = Yesparameter. To make a share writable, set the valueread only = No, which is synonymous withwritable = Yes.create mask = 0640Systems that are not based on MS Windows NT do not understand the concept of UNIX permissions, so they cannot assign permissions when creating a file. The parameter
create maskdefines the access permissions assigned to newly created files. This only applies to writable shares. In effect, this setting means the owner has read and write permissions and the members of the owner's primary group have read permissions.valid users = %Sprevents read access even if the group has read permissions. For the group to have read or write access, deactivate the linevalid users = %S.
To improve security, each share access can be protected with a password. SMB has four possible ways of checking the permissions:
- Share Level Security (security = share)
A password is firmly assigned to a share. Everyone who knows this password has access to that share.
- User Level Security (security = user)
This variation introduces the concept of the user to SMB. Each user must register with the server with his or her own password. After registration, the server can grant access to individual exported shares dependent on usernames.
- Server Level Security (security = server)
To its clients, Samba pretends to be working in user level mode. However, it passes all password queries to another user level mode server, which takes care of authentication. This setting requires an additional parameter (
password server).- ADS Level Security (security = ADS)
In this mode, Samba will act as a domain member in an Active Directory environment. To operate in this mode, the machine running Samba needs Kerberos installed and configured. You must join the machine using Samba to the ADS realm. This can be done using the YaST module.
- Domain Level Security (security = domain)
This mode will only work correctly if the machine has been joined into a Windows NT Domain. Samba will try to validate username and password by passing it to a Windows NT Primary or Backup Domain Controller. The same way as a Windows NT Server would do. It expects the encrypted passwords parameter to be set to
yes.
The selection of share, user, server, or domain level security applies to the entire server. It is not possible to offer individual shares of a server configuration with share level security and others with user level security. However, you can run a separate Samba server for each configured IP address on a system.
More information about this subject can be found in the Samba HOWTO
Collection. For multiple servers on one system, pay attention to the
options interfaces and bind interfaces
only.