- Suse linux enterprise samba
- 30.1 Terminology #Edit source
- 30.2 Installing a Samba Server #Edit source
- 30.3 Starting and Stopping Samba #Edit source
- 30.4 Configuring a Samba Server #Edit source
- 30.4.1 Configuring a Samba Server with YaST #Edit source
- 30.4.1.1 Initial Samba Configuration #Edit source
- 30.4.1.2 Advanced Samba Configuration #Edit source
- 30.4.2 Configuring the Server Manually #Edit source
- 30.4.2.1 The global Section #Edit source
- 30.4.2.2 Shares #Edit source
- 30.4.2.3 Security Levels #Edit source
Suse linux enterprise samba
Using Samba, a Unix machine can be configured as a file and print server for macOS, Windows, and OS/2 machines. Samba has developed into a fully-fledged and rather complex product. Configure Samba with YaST, or by editing the configuration file manually.
30.1 Terminology #Edit source
The following are some terms used in Samba documentation and in the YaST module.
Samba uses the SMB (server message block) protocol that is based on the NetBIOS services. Microsoft released the protocol so other software manufacturers could establish connections to a Microsoft domain network. With Samba, the SMB protocol works on top of the TCP/IP protocol, so the TCP/IP protocol must be installed on all clients.
Tip: IBM Z: NetBIOS Support
IBM Z merely supports SMB over TCP/IP. NetBIOS support is not available on these systems.
CIFS (common Internet file system) protocol is another protocol supported by Samba. CIFS defines a standard remote file system access protocol for use over the network, enabling groups of users to work together and share documents across the network.
NetBIOS is a software interface (API) designed for communication between machines providing a name service. It enables machines connected to the network to reserve names for themselves. After reservation, these machines can be addressed by name. There is no central process that checks names. Any machine on the network can reserve as many names as it wants as long as the names are not already in use. The NetBIOS interface can be implemented for different network architectures. An implementation that works relatively closely with network hardware is called NetBEUI , but this is often called NetBIOS . Network protocols implemented with NetBIOS are IPX from Novell (NetBIOS via TCP/IP) and TCP/IP.
The NetBIOS names sent via TCP/IP have nothing in common with the names used in /etc/hosts or those defined by DNS. NetBIOS uses its own, completely independent naming convention. However, it is recommended to use names that correspond to DNS host names to make administration easier or use DNS natively. This is the default used by Samba.
Samba server provides SMB/CIFS services and NetBIOS over IP naming services to clients. For Linux, there are three daemons for Samba server: smbd for SMB/CIFS services, nmbd for naming services, and winbind for authentication.
The Samba client is a system that uses Samba services from a Samba server over the SMB protocol. Common operating systems, such as Windows and macOS support the SMB protocol. The TCP/IP protocol must be installed on all computers. Samba provides a client for the different Unix flavors. For Linux, there is a kernel module for SMB that allows the integration of SMB resources on the Linux system level. You do not need to run any daemon for the Samba client.
SMB servers provide resources to the clients by means of shares. Shares are printers and directories with their subdirectories on the server. It is exported by means of a name and can be accessed by its name. The share name can be set to any name—it does not need to be the name of the export directory. A printer is also assigned a name. Clients can access the printer by its name.
A domain controller (DC) is a server that handles accounts in a domain. For data replication, additional domain controllers are available in one domain.
30.2 Installing a Samba Server #Edit source
To install a Samba server, start YaST and select Software  › Software Management . Choose View  › Patterns and select File Server . Confirm the installation of the required packages to finish the installation process.
30.3 Starting and Stopping Samba #Edit source
You can start or stop the Samba server automatically (during boot) or manually. Starting and stopping policy is a part of the YaST Samba server configuration described in Section 30.4.1, “Configuring a Samba Server with YaST”.
From a command line, stop services required for Samba with systemctl stop smb nmb and start them with systemctl start nmb smb . The smb service cares about winbind if needed.
Tip: winbind
winbind is an independent service, and as such is also offered as an individual samba-winbind package.
30.4 Configuring a Samba Server #Edit source
A Samba server in SUSEВ® Linux Enterprise Server can be configured in two different ways: with YaST or manually. Manual configuration offers a higher level of detail, but lacks the convenience of the YaST GUI.
30.4.1 Configuring a Samba Server with YaST #Edit source
To configure a Samba server, start YaST and select Network Services  › Samba Server .
30.4.1.1 Initial Samba Configuration #Edit source
When starting the module for the first time, the Samba Installation dialog starts, prompting you to make a few basic decisions concerning administration of the server. At the end of the configuration it prompts for the Samba administrator password ( Samba Root Password ). For later starts, the Samba Configuration dialog appears.
The Samba Installation dialog consists of two steps and optional detailed settings:
Select an existing name from Workgroup or Domain Name or enter a new one and click Next .
Samba Server Type
In the next step, specify whether your server should act as a primary domain controller (PDC), backup domain controller (BDC), or not act as a domain controller. Continue with Next .
If you do not want to proceed with a detailed server configuration, confirm with OK . Then in the final pop-up box, set the Samba root Password .
You can change all settings later in the Samba Configuration dialog with the Start-Up , Shares , Identity , Trusted Domains , and LDAP Settings tabs.
30.4.1.2 Advanced Samba Configuration #Edit source
During the first start of the Samba server module the Samba Configuration dialog appears directly after the two initial steps described in Section 30.4.1.1, “Initial Samba Configuration”. Use it to adjust your Samba server configuration.
After editing your configuration, click OK to save your settings.
30.4.1.2.1 Starting the Server #Edit source
In the Start Up tab, configure the start of the Samba server. To start the service every time your system boots, select During Boot . To activate manual start, choose Manually . More information about starting a Samba server is provided in Section 30.3, “Starting and Stopping Samba”.
In this tab, you can also open ports in your firewall. To do so, select Open Port in Firewall . If you have multiple network interfaces, select the network interface for Samba services by clicking Firewall Details , selecting the interfaces, and clicking OK .
30.4.1.2.2 Shares #Edit source
In the Shares tab, determine the Samba shares to activate. There are some predefined shares, like homes and printers. Use Toggle Status to switch between Active and Inactive . Click Add to add new shares and Delete to delete the selected share.
Allow Users to Share Their Directories enables members of the group in Permitted Group to share directories they own with other users. For example, users for a local scope or DOMAIN\Users for a domain scope. The user also must make sure that the file system permissions allow access. With Maximum Number of Shares , limit the total amount of shares that may be created. To permit access to user shares without authentication, enable Allow Guest Access .
30.4.1.2.3 Identity #Edit source
In the Identity tab, you can determine the domain with which the host is associated ( Base Settings ) and whether to use an alternative host name in the network ( NetBIOS Hostname ). It is also possible to use Microsoft Windows Internet Name Service (WINS) for name resolution. In this case, activate Use WINS for Hostname Resolution and decide whether to Retrieve WINS server via DHCP . To set expert global settings or set a user authentication source, for example LDAP instead of TDB database, click Advanced Settings .
30.4.1.2.4 Trusted Domains #Edit source
To enable users from other domains to access your domain, make the appropriate settings in the Trusted Domains tab. To add a new domain, click Add . To remove the selected domain, click Delete .
30.4.1.2.5 LDAP Settings #Edit source
In the tab LDAP Settings , you can determine the LDAP server to use for authentication. To test the connection to your LDAP server, click Test Connection . To set expert LDAP settings or use default values, click Advanced Settings .
For more information about LDAP configuration, see Chapter 5, LDAP—A Directory Service.
30.4.2 Configuring the Server Manually #Edit source
If you intend to use Samba as a server, install samba . The main configuration file for Samba is /etc/samba/smb.conf . This file can be divided into two logical parts. The [global] section contains the central and global settings. The following default sections contain the individual file and printer shares:
Using this approach, options of the shares can be set differently or globally in the [global] section, which makes the configuration file easier to understand.
30.4.2.1 The global Section #Edit source
The following parameters of the [global] section should be modified to match the requirements of your network setup, so other machines can access your Samba server via SMB in a Windows environment.
This line assigns the Samba server to a workgroup. Replace WORKGROUP with an appropriate workgroup of your networking environment. Your Samba server appears under its DNS name unless this name has been assigned to some other machine in the network. If the DNS name is not available, set the server name using netbiosname= MYNAME . For more details about this parameter, see the smb.conf man page.
This parameter triggers whether your Samba server tries to become LMB (local master browser) for its workgroup. Choose a very low value such as 2 to spare the existing Windows network from any interruptions caused by a misconfigured Samba server. More information about this topic can be found in the Network Browsing chapter of the Samba 3 Howto; for more information on the Samba 3 Howto, see Section 30.9, “For More Information”.
If no other SMB server is in your network (such as a Windows 2000 server) and you want the Samba server to keep a list of all systems present in the local environment, set the os level to a higher value (for example, 65 ). Your Samba server is then chosen as LMB for your local network.
When changing this setting, consider carefully how this could affect an existing Windows network environment. First test the changes in an isolated network or at a noncritical time of day.
wins support and wins server
To integrate your Samba server into an existing Windows network with an active WINS server, enable the wins server option and set its value to the IP address of that WINS server.
If your Windows machines are connected to separate subnets and need to still be aware of each other, you have to set up a WINS server. To turn a Samba server into such a WINS server, set the option wins support = Yes . Make sure that only one Samba server of the network has this setting enabled. The options wins server and wins support must never be enabled at the same time in your smb.conf file.
30.4.2.2 Shares #Edit source
The following examples illustrate how a CD-ROM drive and the user directories ( homes ) are made available to the SMB clients.
To avoid having the CD-ROM drive accidentally made available, these lines are deactivated with comment marks (semicolons in this case). Remove the semicolons in the first column to share the CD-ROM drive with Samba.
ExampleВ 30.1: A CD-ROM Share #
The [cdrom] section entry is the name of the share that can be seen by all SMB clients on the network. An additional comment can be added to further describe the share.
path exports the directory /media/cdrom .
By means of a very restrictive default configuration, this kind of share is only made available to the users present on this system. If this share should be made available to everybody, add a line guest ok = yes to the configuration. This setting gives read permissions to anyone on the network. It is recommended to handle this parameter with great care. This applies even more to the use of this parameter in the [global] section.
The [homes] share is of special importance here. If the user has a valid account and password for the Linux file server and his own home directory, he can be connected to it.
ExampleВ 30.2: [homes] Share #
As long as there is no other share using the share name of the user connecting to the SMB server, a share is dynamically generated using the [homes] share directives. The resulting name of the share is the user name.
%S is replaced with the concrete name of the share when a connection has been successfully established. For a [homes] share, this is always the user name. As a consequence, access rights to a user’s share are restricted exclusively to that user.
This setting makes the share invisible in the network environment.
By default, Samba prohibits write access to any exported share by means of the read only = Yes parameter. To make a share writable, set the value read only = No , which is synonymous with writable = Yes .
create mask = 0640
Systems that are not based on MS Windows NT do not understand the concept of Unix permissions, so they cannot assign permissions when creating a file. The parameter create mask defines the access permissions assigned to newly created files. This only applies to writable shares. In effect, this setting means the owner has read and write permissions and the members of the owner’s primary group have read permissions. valid users = %S prevents read access even if the group has read permissions. For the group to have read or write access, deactivate the line valid users = %S .
Warning: Do not share NFS mounts with Samba
Sharing NFS mounts with samba may result in data loss and is not supported. Install Samba directly on the file server or consider using alternatives such as iSCSI .
30.4.2.3 Security Levels #Edit source
To improve security, each share access can be protected with a password. SMB offers the following ways of checking permissions:
This variant introduces the concept of the user to SMB. Each user must register with the server with his or her own password. After registration, the server can grant access to individual exported shares dependent on user names.
ADS Level Security ( security = ADS )
In this mode, Samba will act as a domain member in an Active Directory environment. To operate in this mode, the machine running Samba needs Kerberos installed and configured. You must join the machine using Samba to the ADS realm. This can be done using the YaST Windows Domain Membership module.
Domain Level Security ( security = domain )
This mode will only work correctly if the machine has been joined into a Windows NT Domain. Samba will try to validate user name and password by passing it to a Windows NT Primary or Backup Domain Controller. The same way as a Windows NT Server would do. It expects the encrypted passwords parameter to be set to yes .
The selection of share, user, server, or domain level security applies to the entire server. It is not possible to offer individual shares of a server configuration with share level security and others with user level security. However, you can run a separate Samba server for each configured IP address on a system.
More information about this subject can be found in the SambaВ 3 HOWTO. For multiple servers on one system, pay attention to the options interfaces and bind interfaces only .
Источник
