Samba complete basic settings for Samba Server

Samba-about the basic settings of the Samba server-Linux Enterprise Application-Linux server application information. The following is a detailed description. Samba protocol Basics

After NetBIOS appeared, Microsoft implemented a network file/print service system using NetBIOS. This system sets a file sharing protocol based on NetBIOS, which Microsoft calls Server Message Block (SMB) protocol. Microsoft uses this Protocol in their Lan Manager and Windows NT Server systems to share printers, serial ports, and communication abstractions (such as named queues and mail slots) between different computers ).

With the popularity of the Internet, Microsoft hopes to extend this Protocol to the Internet, becoming a standard for computers on Inter net to share data with each other. Therefore, it sorts out the existing SMB protocol with few technical documents, renames it CIFS (Common Internet File System), and intends to disassociate it from NetBIOS, try to make it a standard protocol on the Internet.

Therefore, to integrate Windows and Unix computers, the best way is to install software that supports SMB/CIFS on Unix computers, so that Windows customers do not need to change the settings, you can use resources on Unix computers just like using Windows NT servers. Samba is a software used to implement SMB. its working principle is to enable NETBIOS (Communication Protocol of Windows95 network neighbors) and SMB (Server Message Block) these two protocols run on TCP/IP communication protocols, And the NETBEUI protocol of Windows enables Unix computers to be seen by Windows computers on network neighbors. Its functions include:

1. Share the Linux disk to Win95/NT

2. Share Win95/NT disk to Linux machine

3. Share the Linux printer with win95/NT

4. Share the win95/NT printer with the Linux machine.

At the same time, its file service functions are higher than the NT System, and the user's disk space is limited before Windows2000.

Samba Configuration

When I write this article, Samba version has reached 2.2.2, you can get the latest rpm installation package through the ftp://samba.org/pub/samba/Binary .. 2-20011013.i386.rpm. Then run rpm? Uvh samba-2.2.2-20011013.i386.rpm to install or upgrade it. After the installation is complete, you can see a directory such as/etc/samba, which stores some Samba-related files, most of which is smb. conf. Now let's talk about its configuration options based on the configuration file:

Global settings:

Workgroup = MYGROUP

Define the Working Group or domain of the Samba server (if security = domain is set below ).

Server string = MY Samba Server

Set the machine description. When we access the machine through a network neighbor, we can see this content in the remarks, and we can also use the variables set by samba. Here we will talk about the variables defined by samba:

% S = current service name (if any)

% P = root directory of the current service (if any)

% U = User Name of the current service (if any)

% G = the active working group that the current user says is in

% U = User Name of the current Dialog

% G = Main workgroup of the user in the current Dialog

% H = Home directory of the current service user

% V = Samba service version.

% H = Host Name of the machine running the Samba Service

% M = client NETBIOS Name

% L = server NETBIOS Name

% M = client host name

% N = NIS server name

% P = The Home Directory of the NIS Service

% R = protocol level used (value can be CORE, COREPLUS, LANMAN1, LANMAN2, NT1)

% D = ID of the current service process

% A = client structure (only Samba, WfWg, WinNT, and Win95 can be identified)

% I = Client IP Address

% T = current date and time

Hosts allow = network or host

Here, you can set the network and host IP addresses that are allowed to access, for example, to allow access from 192.168.1.0/24 and 192.168.2.1/32, host allow = 192.168.1. 192.168.2.1 127.0.0.1 (Add ". ", each project is separated by a space, remember to add the local machine)

Printcap name = printcapFile

Obtain the description of the printer in the printcapFile (usually/etc/printcap) file.

Load printers = yes | no

Set whether to automatically share the printer without setting the following [printer] section.

Printing = PrintSystemType

Defines the printing system type. The default value is lprng. The options include bsd, sysv, plp, lprng, aix, hpux, and qnx.

Guest account = pcguest

Define the visitor account and add this account to/etc/passwd. Otherwise, it will use the default nobody.

Log file = LogFileName

Define the location of the record file LogFileName (usually/var/log/samba/% m. log)

Max log size = size

Defines the size of the record file (unit: KB. If it is 0, the size is not limited)

Security = security_level

Defines the security level of Samba, from low to high: share, user, server, domain. The verification methods are as follows:

Share: no security level. Any user can access resources on the server without a user name or password.

User: The default configuration of samba. Users must provide the user name and password for authentication before accessing shared resources.

Server: similar to the user security level, but the user name and password are submitted to another server for verification, for example, submitted to an NT server. If the submission fails, it is returned to the user security level.

Domain: This security level requires that a Windows primary domain controller exist on the network. samba submits the user name and password to it for verification.

The following three security levels require users to have system accounts on their Linux machines. Otherwise, it cannot be accessed.

Password server =;

It is necessary to set the current security to server or domain.

Password level = n

This is intended for SMB customers such as OS/2. When sending user passwords, such systems convert the passwords into uppercase and then send them, this is inconsistent with samba's password. This parameter can be used to set the number of allowed upper-case letters in the password. In this way, samba will re-convert the received password based on this number, verify the correctness of the new password. The larger the n value, the more combinations, the longer the verification time, and the lower the security. For example, if n = 2, the user's password is abcd, but if it is actually ABCD, samba will reorganize the case of this ABCD. The combined result can be: Abcd, aBcd, abCd, abcD, abcd, ABcd, AbCd, AbcD, aBCd, aBcD.

So if there is no need, set n to zero. In this case, samba only tries twice. One is the password received, and the other is the password in lower case.

Username level = n

This is the username, which is similar to the preceding one.

Encrypt passwords = yes | no

Set whether to encrypt the password. samba itself has a password file/etc/samba/smbpasswd. If the password is not encrypted, the plaintext password is transmitted between the client and the server during the verification session, samba directly verifies the password with the/etc/samba/smbpasswd password file in Linux. However, neither Versions later than Windows 95 OS/R2 nor Versions later than Windows NT SP3 transmit plaintext passwords by default. To enable these systems to transmit plaintext passwords, they must be changed in their registries, it is troublesome. A good way is to set this switch to yes.

Smb passwd file = smbPasswordFile

Set the smbPasswordFile that stores the samba User Password (usually/etc/samba/smbpasswd ).

Ssl CA certFile = sslFile

When samba compilation supports SSL, You need to specify the SSL Certificate location (typically in/usr/share/ssl/certs/ca-bundle.crt ).

Unix password sync = yes | no

Passwd program =/usr/bin/passwd % u

Passwd chat = * New * UNIX * password * % n

* ReType * new * UNIX * password * % n

* Passwd: * all * authentication * tokens * updated * successfully *

Can these three settings change the password of a unix system from a windows application?

Username map = UsermapFile

Specify the user ing file (usually/etc/samba/smbusers). When we specify a line of root = administrator admin in this file, when the client user is admin or administrator, the connection will be treated as the user root.

Include = MachineConfFile

Specify different configuration files MachineConfFile for connections to different machines (generally for flexible management and use of/etc/samba/smb. conf. % m. Because samba variables are used to associate the configuration file with the NETBIOS name of the client, it is easy to control the permissions and settings of these clients ).

Socket options = TCP_NODELAY SO_RCVBUF = 8192 SO_SNDBUF = 8192

This is a number of network socket parameters that can achieve the best file transmission performance. Related options include SO_KEEPALIVE, SO_REUSEADDR, SO_BROADCAST, IPTOS_LOWDELAY, IPTOS_THROUGHPUT, SO_SNDLOWAT (*), SO_RCVLOWAT (*), and numbers with the * sign. Generally, only IPTOS_LOWDELAY is used in the local network. If there is a local network, IPTOS_LOWDELAY TCP_NODELAY is used. If it is a wide area network, try IPTOS_THROUGHPUT.

Interfaces = interface1 interface2

If you have multiple network interfaces, you must specify them here. For example, interface = 192.168.12.2/24 192.168.13.2/24

Remote browse sync = host (subnet)

Where to obtain the synchronization information of the browsing list, if host (such as 192.168.3.25) or the whole subnet (192.168.5.255) is used ).

★Here we will explain what is Browse ):

In the SMB protocol, to access network resources, computers need to know the list of resources on the network (for example, using network neighbors in Windows to view accessible computers ), this mechanism is called Browse ). Although the SMB protocol often uses the broadcast method, if you use the broadcast method every time to understand the current network resources (including the computers providing services and the service resources on each computer ), this requires a lot of network resources and a long time to search. Therefore, it is best to maintain a list of network resources in the network to facilitate searching for network resources. You can search for resources only when necessary, for example, using the search computer function in Windows.

However, it is not necessary for each computer to maintain the entire resource list. The task of maintaining the current resource list in the network is completed by several special computers on the network. These computers are called Browser, these browsers record broadcast data or query name servers to record various resources on the network.

Browser is not a computer specified in advance, but generated between normal computers through automatic recommendations. Different computers can set different weights for recommendations based on their ability to provide services. To ensure that the network browsing is still normal when a Browser is down, there are often multiple browsers in the network, one for the Master Browser and the other for the backup Browser.★

Remote announce = host (subnet)

Specify these machines to advertise themselves to the network, instead of using Browser.

Local master = yes | no

This parameter specifies whether nmbd tries to become the local host browser. The default value is yes. If it is set to no, the samba server will never become the local host browser. However, even if yes is set, the samba server becomes the main browser. Only participate in the selection of the local host browser.

OS level = n

The value of n is an integer, which determines whether nmbd has the opportunity to become the local master browser in the Working Group of the local broadcast area. The default value is zero, and zero means that nmbd has no browsing choice. If you want nmbd to have a better chance of becoming the local host browser, you can set it to 65.

Domain master = yes | no

This parameter makes nmbd a domain browser, obtains the browsing list of each local host browser, and submits the browsing list of the entire domain to each local host browser.

Preferred master = yes | no

This parameter specifies whether nmbd is the primary browser in the working group. If yes is specified, nmbd forces a browser selection at startup.

★Domain master and local master

The concepts of working groups and domains are equally useful in browsing. They are used to differentiate and maintain multiple computers that browse data in the same group. In fact, their difference lies in the authentication method. Each computer in the Working Group is basically independent and authenticates the client access independently, and one or more domain controllers exist in the domain, stores authentication information that is valid for the entire domain, including user authentication information and authentication information of the member computers in the domain. When you browse data, you do not need to authenticate the information. Microsoft extends the workgroup to a domain to form a hierarchical directory structure that combines the original browsing and directory services, A strategy to expand the scope of Mircrosoft network services.

Both the workgroup and Domain can span multiple subnets. Therefore, there are two types of browsers in the Network: Domain Master Browser, which is used to maintain the browsing data of the entire workgroup or Domain, the other is the Local Master Browser, which is used to maintain the browsing data in the subnetwork. It communicates with the Domain Master Browser to obtain all the browsing data. The division of the two Browser types is mainly because the browsing data relies on gossip network broadcast to obtain the resource list. different subnets can exchange resource lists only through the communication capability between browsers.

However, to browse resources of multiple subnets, you must use the DNS resolution method of the NBNS name server. Without the help of NBNS, the computer cannot obtain the NetBIOS Name of a computer outside the subnet. The Local Master Browser also needs to query the NetBIOS name server to obtain the Domain Master Browser name to exchange network resource information.

Due to the special nature of the Domain controller in the Domain, the Domain controller tends to be used as the Browser, and the Master Domain Controller should be used as the Domain Master Browser. They set a large weight during the recommendation.★

Preserve case = yes | no

Short preserve case = yes | no

Specifies the case sensitivity when copying DOS Files. The default value is no.

Default case = lower | upper

The default value of all DOS Files is uppercase or lowercase.

Case sensitive = yes | no

It is case sensitive and generally no. Otherwise, some problems may occur.

Sharing settings:

★Shared resources:

Each SMB server can provide external file or print services, and each shared resource needs to be assigned a sharing name, which will be displayed in the server's resource list. If the last letter of a resource name is $, the shared name is hidden and cannot be directly displayed in the browsing list, but can only be accessed by directly accessing the name. In the SMB protocol, to obtain the list of resources provided by the server, you must use a hidden Resource Name IPC $ to access the server. Otherwise, you cannot obtain the list of system resources.★

There is a strange section in the sharing settings:

[Homes]. In the smb. conf file, no specific contents such as paths are set for this directory. When the client sends a service request, it searches for the service with the specified content in other parts of the smb. conf file. If these services are not found and the homes segment is provided, search the password file to get the user's Home directory. Using the Homes segment, Samba can obtain and share the user's Home directory. The following are the basic settings for this section.

[Homes]

Comment = Home Directory

Browseable = no

Writable = yes

The following is an example of a normal shared Configuration:

[MyShare]

Comment = grind's file

Path =/home/grind

Allow hosts = host (subnet)

Deny hosts = host (subnet)

Writable = yes | no

User = user (@ group)

Valid users = user (@ group)

Invalid users = user (@ group)

Read list = user (@ group)

Write list = user (@ group)

Admin list = user (@ group)

Public = yes | no

Hide dot files = yes | no

Create mode = 0755

Directory mode = 0755

Sync always = yes | no

Short preserve case = yes | no

Preserve case = yes | no

Case sensitive = yes | no

Mangle case = yes | no

Default case = upper | lower

Force user = grind

Wide links = yes | no

Max connections = 100

Delete readonly = yes | no

Specifically, MyShare in [] specifies the sharing name, which is generally the name of the folder that can be seen in the network neighbor.

Comment refers to the remarks on share change.

Path specifies the shared path, which can be used with the samba variable. For example, you can specify path =/data/% m. If the NETBIOS Name of a machine is grind, it enters the/data/grind directory when accessing the share of MyShare, for machines whose NETBIOS name is glass, enter the/data/glass directory.

Allow hosts and deny hosts are the same as the previous global settings.

Writeable specifies whether the directory is writable by default. You can also use readonly = no to set writeable.

Users can set all users who may use the shared resource or use @ group to represent all members of the group. Different projects are separated by spaces or commas.

Valid users specifies the users and groups that can use the shared resource.

Invalid users specifies the users and groups that cannot use the shared resource.

Read list specifies users and groups that can only read the shared resource.

Write list specifies the users and groups that can read and write the shared resource.

Admin list specifies the users and groups that can manage the shared resources (including read/write and permission granting.

Public indicates whether the shared resource can be accessed by the visitor's account. This switch is also called guest OK. Therefore, guest OK = yes in some configuration files is actually the same as public = yes.

Hide dot files indicates whether to hide files starting with "." Like unix.

Create mode indicates the attributes of the newly created file, which is generally 0755.

Directory mode indicates the attribute of the newly created directory, which is generally 0755.

Sync always indicates whether to perform synchronization after writing the shared resource.

Short preserve case indicates that the file name is case-insensitive.

Preserve case indicates case sensitivity.

Case sensitive indicates whether it is case sensitive. Generally, no is selected. Otherwise, an error may occur.

Mangle case indicates the mixed case.

Default case indicates whether all the default file names are in uppercase or lowercase.

Force user forces the owner of the file to be created. If I have a directory that allows the guest to be written, the guest can be deleted. If I use force user = grind to force the object to be created, the owner is grind, and the create mask = 0755, in this way, the guest cannot be deleted.

Wide links indicates whether to allow connections with shared external symbols. For example, a connection in a shared resource directs to a file or directory in a non-shared resource. Setting wide links = no makes the connection unavailable.

Max connections = n sets the number of simultaneous connections to n.

Delete readonly indicates whether to delete a file already defined as read-only in a shared resource.

There are two types of special sharing: Optical Drive and printer

Shared settings of the optical drive:

[Cdrom]

Comment = grind's cdrom

Path =/mnt/cdrom

Public = yes

Browseable = yes

Root preexec =/bin/mount-t iso9660/dev/cd0/mnt/cdrom

Root postexec =/bin/umount/mnt/cdrom

Here, root preexec indicates that the mount command is run as root during connection, while root postexec indicates that umount is run as root During disconnection, which effectively achieves shared Optical Drive.

Printer sharing settings:

[Printers]

Path =/var/spool/samba

Writeable = no

Guest OK = yes

Printable = yes

Printer driver = HP LaserJet 5L

Printable indicates that the printer can be printed, guest OK indicates that visitors can also print, path indicates that the printed file queue is temporarily placed in the/var/spool/samba directory. The role of the printer driver is to specify the printer type, so that we can automatically install the driver when installing the network printer without selecting.

Add User:

It is convenient to add users to samba. Generally, smbadduser is used. The usage is smbadduser unixid: netid. For example, if your local machine has a user named grind, you can use smbadduser grind: grind, in this way, grind is used for the user name when accessing from the network neighbor. If smbadduser grind: glass is used, the user name provided by the network neighbor is glass instead of grind.


This is basically the setting of the samba server. I think the above is almost all used in the application, so some unimportant ones are omitted, for more detailed information, use man smb. conf reference.