General thread: Samba introduction part 3

Article Title: General thread: Samba introduction part 3. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Run Samba: configuration phase
　　
Daniel Robbins
President/CEO, Gentoo Technologies, Inc.
　　
Content:
Add some shares
Exciting sharing
Shared home directory
Sharing parameters
Snb. conf option
Print from Samba
References
About the Author
　　
In the previous article, Daniel Robbins guides you through the process of setting Samba for the first time. Now we should configure Samba to execute all the operations you want it to perform.
　　
Here is a list of smb. conf we have used:
　　
[Global]
　　
# Set YOURWORKGROUP to the name of your workgroup
　　
Workgroup = YOURWORKGROUP
Security = user
Encrypt passwords = yes
Guest account = guest
　　
# Enable * one * of the following two lines
# Enable the first line if you want to use an existing
# WINS server on your subnet, otherwise, enable
# Second.
　　
# Wins server = IP address of WINS server
# Wins support = yes
　　
Local master = yes
OS level = 99
Domain master = yes
Preferred master = yes
　　
# Optional security options. Customize for your site.
　　
# Hosts allow = 192.168.1. 127.
# Interfaces = eth1
　　
[Tmp]
Path =/tmp
Writeable = yes
　　
Add some shares
After the smb. conf file takes effect, all it can do is create a share named \ "tmp \" to share the/tmp directory with Windows. This is not exciting enough. Let's create another more useful sharing. Add the following lines to smb. conf and restart Samba.
　　
[Ftp]
Path =/path/to/ftp/root
Writeable = no
　　
If you have an ftp location or a file archive on the Samba server, you can use similar code to share data on the network. The \ "writeable = no \" parameter tells Samba that no one is allowed to create or modify files on the shared file. Anyone with a valid Samba account can access this share.
　　
Exciting sharing
I know what you are thinking. However, this is not exciting enough. What if the shared home directory is used? The following code shows how to achieve this goal:
　　
[Drobbins]
Comment = Home directory for drobbins
Path =/home/drobbins
Force user = drobbins
Read only = no
Valid users = drobbins administrator
　　
This is much more interesting. Adding similar code to smb. conf allows you to share the main directory. In this example, \ "drobbins \" sharing is created. It shares/home/drobbins on the network. Fortunately, with the \ "valid users \" line, not everyone can access this share. This line causes Samba to deny access by anyone except the \ "drobbins \" or \ "administrator \" account. Because Windows NT is used, I often log on as administrator. In this case, you can still access \ "drobbins \" share. This line of valid users can allow this situation.
　　
You will also notice the use of the \ "read only \" parameter. As you may have guessed, the \ "read only \" parameter is opposite to the \ "writeable \" parameter. We only need to use \ "writeable = yes \" to replace this line. This indicates that Samba allows writing to this specific share as long as appropriate permission is available. Because the Samba \ "drobbins \" user is directly mapped to the Unix \ "drobbins \" user, and drobbins happen to be the owner of the/home/drobbins directory and its content, therefore, you can write and modify files.
　　
Have you ever created a file in the main directory as a root user and then been denied write access when trying to modify it after logging on as a general user? This has always happened to me. To solve the problem, run \ "su \", \ "chown drobbins. drobbins filename \", and then exit from the root user \ "exit ). Finally, allow me to modify the file.
　　
I mentioned this because similar problems may occur when you share the main directory and use other Samba users to access them. Consider the following situations. As administrator, I shared and created a file. Generally, this file is owned by the administrator and cannot be modified by the drobbins user. If drobbins tries to modify it, the access is denied. Fortunately, Samba has the \ "force user \" option to avoid this situation. The \ "force user \" option enables all operations performed on files (on a specific Samba SMB/CIFS share) to be performed using a single Unix account. In the \ "drobbins \" sharing example, this means that all files created by the administrator are actually owned by drobbins to prevent any conflicts of ownership. Because \ "drobbins \" shares content that contains the main directory, I want to save all the content owned by the drobbins account.
　　
Before starting the next topic, I should mention the \ "comment \" parameter. This allows you to add a descriptive comment visible from Windows to your sharing.
　　
Share many home directories
We have introduced how to share a single home directory. However, if you want to manage the servers that contain hundreds of users and all users want to access their home directories from Windows, what should you do in this case? Fortunately, Samba has a special share called \ "homes \" for this purpose. How it works:
　　
[Homes]
Comment = Home directory for % S
Path =/home/% u
Valid users = % u administrator
Force user = % u
Writeable = yes
Browseable = no
　　
As I mentioned, this is a "special" sharing. It works in different ways than general sharing. Samba recognizes this special identifier \ "[homes] \" and handles this sharing in different ways.
　　
The most common part of this sharing is that the \ "browseable = no \" parameter is used. This special option makes sharing invisible under "network neighbors", which is usually used to block all users who want to "explore" all the sharing benefits it can see. But why is it used here?
　　
The answer is intriguing. As you can see, \ "homes \" sharing actually creates a sharing named \ "homes. However, this specific share is of no use to us at all. It does not do anything, so we hide it. \ "Homes \" shares many tasks. It tells Samba to automatically create a home directory for each individual user in real time. For example, suppose our \ "drobbins \" share is not defined in smb. conf, and we browse "network neighbors" as the NT user \ "drobbins ". We will find that a shared object named \ "drobbins \" is the same as the original shared object \ "drobbins. If you use the NT user \ "jimmy \" to access Samba, you will find a well-configured \ "jimmy \" sharing. This is the charm of homes. Adding a special share will create all the home directory shares accordingly.
　　
How does it work? When \ "homes \" is set, Samba checks which NT user is accessing Samba. Then, it creates a home directory share that has been customized for this specific user. As if this sharing is a normal non-dynamic sharing, it will appear in "Network neighbors. NT users do not realize that this specific share is created in advance. Let's take a look at what each specific option is doing:
　　
The comment parameter uses the % S wildcard, which can be extended to the actual sharing name. This will lead to \ "drobbins \" sharing with comments \ "Home directory for drobbins \", \ "jimmy \" sharing with comments \ "Home directory for jimmy \" and so on. The path parameter also contains the wildcard % u. % U is extended to the shared user name. In special cases, % u is equivalent to % S, so we use path =/home/% S instead. It allows Samba to dynamically map shares to the correct locations on the disk.
　　
We use the macro in the row \ "valid users = \" again to allow only the shared owner and administrator to access it. \ "Force user \" also uses a macro so that all files can be accessed by one account. Of course, we will make it accessible to all authenticated users. When the \ "browseable = no \" parameter is used, dynamically created shares can be browsed during creation. Of course, it only hides the \ "homes \" sharing that does not work.
　　
Sharing parameters
We have seen some convenient technologies used to create a share. In this section, I will introduce some common options that allow you to customize Samba functions based on each sharing. You can also put all sharing-related options in the [globals] section to set the default values for all sharing.
　　
Comment =
Comment = parameter is a very convenient option, which can make the Samba system more formal when viewed from the Windows side. It allows you to specify the comments carried by a specific share to describe the shared content. When specifying annotations (especially when using \ "homes \"), I often use the % S Macro, which is extended to the shared name.
　　
Path =
Path = is one of the most basic Samba sharing parameters. It allows you to set the path to the directory to be exported. Note that by default, any symbolic links in the directory tree will follow. Therefore, the user may "jump out" of the directory tree. From the Windows side, they do not follow the symbolic link instructions. It will only appear as a normal file or directory. We will discuss some parameters that can change this behavior to make the symbolic link safer.
　　
Force user =
Force user = is one of my favorite parameters. It forces all file modifications to be executed by a single user account. It is usually used with the valid users = option to restrict access to some users. Because all file operations are performed using a single user account, one side of force-user = is that you cannot know who has done anything by viewing Unix file permissions. Therefore, for writable sharing, the force user = option should have the appropriate security default value. Without this option, all file operations will be performed by Samba users who are accessing the shared file.
　　
Force user example
Force user = drobbins
　　
Browseable =
A simple way to enhance security is to make a specific share invisible. By default, sharing is accessible in "Network neighbors. Making them invisible can help prevent unwanted hacker attacks. However, it should not be used as the only method for security. This is because sharing is not listed in the browsing list and cannot be prevented from being accessed from Windows. It can only reduce the number of messages you may provide to malicious users.