Sometimes you need to very quickly set up a file share on the server and open access to it. In this case, there is no need to fence any complex configurations, access rights or something else. You just need quick access to information without any questions.
For example, I recently needed something like this to open access to the backups that were stored on the server. I didn't want to understand and look for information myself, it was necessary to quickly give a person access to read, so that he himself could find everything he needed.
I will not specifically operate with operating system versions. Samba's configs are the same almost everywhere I had to work with them, especially in the simplest configurations.
So, we install samba in any suitable way for your operating system. The configurations are valid for the 3rd version of the samba. Then we decide what we need:
- access by user and password,
- access by ip address,
- access to everyone without restrictions.
Depending on this, the settings will be slightly different.
For password access we draw such a config:
Security = user passdb backend = tdbsam workgroup = MYGROUP server string = Samba path = / mnt / shara valid users = @users force group = users create mask = 0660 directory mask = 0771 writable = yes browseable = yes
# useradd share-user -M -G users -s / sbin / nologin
We import this user into the samba and set the password:
# smbpasswd -a share-user
And we try to go to the ball at:
\\ server ip \ share
To organize access depending on ip address, we make the following settings in smb.conf:
Security = share workgroup = MYGROUP server string = Samba map to guest = bad user path = / mnt / files browsable = yes writable = yes guest ok = yes read only = no hosts allow = 192.168.0.171
In this case, full access will be at the address 192.168.0.171. To add an entire subnet, you need to specify the following:
Hosts allow = 192.168.0.
You can combine different subnets and addresses, separating them with spaces. In order to disable access to some specific addresses from the allowed subnet, you can do it like this:
Hosts allow = 192.168.0. except 192.168.0.15
Access will be allowed to the entire 192.168.0.0/24 subnet, except for the 192.168.0.15 address.
We restart the samba and check.
If you have samba 4 installed, then this configuration will not work and you will receive an error:
WARNING: Ignoring invalid value "(! LANG: share" for parameter "security" !}
For ip access to work properly, you need to make the following changes to the above config:
Security = user map to guest = Bad Password
Leave the rest of the parameters the same. After that, ip access will work on the 4th version of the samba.
If access will be provided to everyone without restrictions, then the simplest samba configuration will be as follows:
Security = user workgroup = MYGROUP server string = Samba guest account = nobody map to guest = Bad User path = / mnt / files browseable = Yes guest ok = Yes writeable = Yes public = yes
Do not forget to make the rights for everyone to the folder:
# chmod 0777 / mnt / files
We restart the samba and try to enter. Should be allowed without any questions.
This is how you can organize a simple file server using samba in just 5 minutes. And often it is more difficult and not necessary. For any file trash, the very last option is suitable.
For more complex configurations, I have separate articles:
Online course "Linux Administrator"
If you have a desire to learn how to build and maintain highly available and reliable systems, I recommend that you get acquainted with online course "Linux Administrator" in OTUS. The course is not for beginners, for admission you need basic knowledge of networking and installing Linux on a virtual machine. The training lasts 5 months, after which successful graduates of the course will be able to pass interviews with partners. Check yourself on the entrance test and see the program for details on.Samba is software for organizing file exchange and working with shared resources between computers running Linux / Unix and Windows operating system. Samba consists of a client-side and a server-side. The client side allows you to access network folders and Windows resources, and the server side, in turn, opens shared access to the Ubuntu folder for other machines, including Windows.
This short tutorial will walk you through the simplest setup of Samba Ubuntu 18.04, as well as how to set up shared access to the Ubuntu folder with multiple privilege levels.
We will create three shared folders with different permission levels. A folder with anonymous access, with access for users belonging to a specific group and access only for a specific user.
Both Linux and Widnows machines will be able to access shared folders in Ubuntu, using any program that works over the SMB protocol.
For everything to work properly, all machines must be in the same workgroup specified on the Samba server. By default, for Windows, Linux and MacOS, the workgroup is named Workgroup. To find out which workgroup is used in your Windows, open a command prompt (Win + R, then cmd) and run the following command:
net config workstation
We see the parameter we need in the line Workstation domain... This is the working group.
Now, if a computer with a Samba server in your network has a permanent IP address, it is advisable to enter it in the hosts file. To do this, run Command Prompt as administrator:
And run the command:
notepad C: \ Windows \ System32 \ drivers \ etc \ hosts
In the file that opens, add a line with the IP address of the computer on which Samba will be installed:
192.168.0.1 srvr1.domain.com srvr1
Now you can move on to the question of how to share the Ubuntu folder.
Samba setup on Ubuntu 16.04
Let's start as usual with the installation. Installing Samba Ubuntu along with all the necessary components is done with the command:
sudo apt-get install -y samba samba-common python-glade2 system-config-samba
When everything is installed, you can proceed to the configuration. First, back up the original Samba configuration file:
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
After creating a backup, create your configuration file with this command:
sudo vi /etc/samba/smb.conf
First, let's specify the global file server settings. To do this, insert the following lines into the file:
workgroup = WORKGROUP
netbios name = Ubuntu Share
dns proxy = no
max log size = 1000
passdb backend = tdbsam
unix password sync = yes
pam password change = yes
map to guest = bad user
usershare allow guests = yes
Let's take a closer look at what these lines mean.
- workgroup- the working group, as already mentioned, should be the same on all machines
- netbios name- the name of the computer that will be displayed in Windows;
- log file- the address of the file where error messages and other information will be stored;
- security- by default, perform user-level authentication;
- name resolve order- the order of resolution of IP addresses by NetBIOS name. bcast - means to send a broadcast request to the local network. If all computers between which you plan to interact are in the same network, this option is optimal;
- passdb backend- a way of storing user passwords;
- unix password sync- synchronization of samba user passwords with local Unix passwords;
- map to guest- indicates when the user will be granted guest access. There are three values available - never- never, bad user- when no such user exists, bad password- when the password is entered incorrectly,
When you've finished creating the configuration file, let's move on to the question of how to share the Ubuntu folder for Windows.
Share Ubuntu folder
First, let's create a shared folder available to everyone. That is, with anonymous access, without samba authorization.
Create a folder to which we will open access, for example:
sudo mkdir -p / samba / allaccess
After the folder is created, you need to set the correct access rights for it. The following commands allow everyone to access the folder and make the owner nobody:
cd / samba
sudo chmod -R 0755 allaccess
sudo chown -R nobody: nogroup allaccess /
The next step is to describe the allaccess folder in the samba configuration file:
path = / samba / allaccess
browsable = yes
writable = yes
guest ok = yes
read only = no
Your config file should now look like this:
workgroup = WORKGROUP
server string =% h server (Samba, Ubuntu)
netbios name = Ubuntu Share
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
passdb backend = tdbsam
unix password sync = yes
passwd program = / usr / bin / passwd% u
pam password change = yes
map to guest = bad user
usershare allow guests = yes
#==============
path = / samba / allaccess
browsable = yes
writable = yes
guest ok = yes
read only = no
Let's take a closer look at the options that were used here:
- path- the path to the folder you want to share;
- browsable- whether the folder will be displayed in the list of available shares;
- writable- whether the folder will be available for writing;
- read only- the folder is read-only;
- guest ok, public- whether guest access will be allowed;
- only guest- if set to yes, then the folder will be available only to guests;
- hosts allow- ip addresses from which you can get access to this server;
- valid users- by default, all users can log in, if a list of users is passed in this parameter, then only they can log in;
- create mask- mask of rights for created files.
Restart the Samba server to apply the changes:
sudo systemctl restart samba
Samba setup for Ubuntu 16.04 for anonymous access is now complete. Now you can check the availability of the allaccess shared folder from Windows, to do this press Win + R and run:
\\ srvr1 \ allaccess
You will see our folder. If you don't see it, check the configuration again. The folder can be accessed without samba authorization. Setting up Samba shares with unauthorized access is now complete.
You can also connect to this server from Linux using Nautilus, for this you just need to type the address smb: // server ip, under other places:
Protected Sharing Ubuntu Folder
To share a folder for Windows Ubuntu, to which only users from a specific group will have access, create a separate folder and describe it in the Samba configuration file in Ubuntu.
First, create a folder:
sudo mkdir -p / samba / allaccess / secured
Create a group:
sudo addgroup securedgroup
Setting up the rights:
cd / samba / allaccess
$ sudo chown -R richard: securedgroup secured
$ sudo chmod -R 0770 secured /
The last step is to add the settings to the samba config file:
sudo vi /etc/samba/smb.conf
path = / samba / allaccess / secured
valid users = @securedgroup
guest ok = no
writable = yes
browsable = yes
Restart the Samba server. Now only users of the securegroup can access the shared folder in Ubuntu.
To check how it works, let's add the user richard to our group:
sudo usermod -a -G securedgroup richard
For a user to be able to work with shared folders in Ubuntu, he must be in the Samba database. Therefore, we will create a Samba password for it.
Or maybe just interest and curiosity push users to search for different suitable software. This software includes Samba. You need to know how to set up Samba on Ubuntu Server if you want to make a database or file storage out of your computer.
Installing Samba on Ubuntu Server allows you to create a database.
If you thought the page was about learning dance, you are slightly mistaken. Samba is free software. It implements access to printers and files. And it does it on various operating systems.
What is it for?
In comparison with other software packages of a similar purpose, Samba has several advantages and features.
- Allows you to connect a Unix-like system to each other, that is, any system on Linux and Windows. And not only Windows. The program is very "omnivorous": MacOS, Solaris and other operating systems of varying degrees of popularity.
- Samba enables Windows users to use Ubuntu computers as a server. That is, use the files to which access is established, as well as some of the connected devices.
- Supports the domain structure of NT Domain, manages NT users, supports the functions of the principal, the primary controller.
Probably, for many, the main thing is communication with Windows machines. In this case, they act as a client, and the computer on Ubuntu acts as a server. On the other hand, an Ubuntu user can also access Windows network folders.
Samba has been around since 1992. And, most importantly, new versions are still being released. The latter was released on March 7, 2017. Every year, developers are trying to establish compatibility with a large number of different versions of operating systems, but the main feature remains the connection of Linux systems with Microsoft. Compared to Windows Server, Samba may be inferior to it due to the lack of support for some of the protocols and host infrastructure. However, many argue that Samba's speed is much higher.
Configuring Samba
Before directly setting, the program must be installed. Installing Samba is done in the same way as with other programs - by entering the command in the terminal:
sudo apt-get install samba
Immediately, note: all the actions that will be described, including installing the program, can be performed both on a simple Ubuntu and on an Ubuntu Server. Only on the latter is an exclusively text-based interface available.
After installation, you should make a backup of the configuration file:
$ sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
$ sudo vi /etc/samba/smb.conf
Or we edit the existing one. This file contains the basic settings for the Samba server. To figure out what we will do next, you need to understand what the different lines mean.
- Workgroup is a workgroup. The value of this parameter will also often be Workgroup, because in Windows the default workgroup domain looks like this.
- Netbios name is the name of the Ubuntu computer as seen by Windows users. Here you can enter a value at your discretion.
- Security - user authorization mode. The default is User, that is, user-level authentication. It's best to leave it that way for now.
- Os level - indicates the priority that Samba has over other clients (PCs) on the local or Internet network.
- Name resolve order - the order of resolving IP addresses by NetBIOS name.
- Read only - the privilege to read or write the directory. The value can be "yes" - read only, "no" - write.
Create a user
This is the simplest action with which you can start working with Samba.
Add a user to the OS itself:
$ useradd -M -l -s / sbin / nologin username
Create a password for it:
Let's add our user to the Samba database:
$ smbpasswd -a username
Various other actions can be performed with the $ smbpasswd command:
- $ smbpasswd username - change password
- $ smbpasswd -x username - delete user
- $ smbpasswd -d username - ban user
The server must be rebooted if you make changes to the configuration file. This is done using the command:
$ systemctl restart smb
it basic settings Samba. Now you can try to apply the program in practice.
Folder access
First, let's try to create a folder that will be accessible to all users, even those who are not logged into Samba.
We create a folder with which we will then work on two computers:
$ sudo mkdir -p / samba / access
Now we make extended access for this folder so that any client of our local network can open it:
$ cd / samba
$ sudo chmod -R 0755 access
$ sudo chown -R nobody: nogroup access /
The owner according to the code is nobody.
Now, in the file with the server configuration, you need to make two sections: the first one containing the basic information:
workgroup = WORKGROUP
server string = Samba Server% v
netbios name = srvr1
security = user
map to guest = bad user
name resolve order = bcast host
dns proxy = no
#==============
And the second, containing information about the access folder:
path = / samba / access
browsable = yes
writable = yes
guest ok = yes
read only = no
Sections follow one after another in the same order.
Updating server changes:
$ sudo service smbd restart
Actions with a computer on Windows
On Windows, you also need to perform some actions so that you can easily open a new shared folder and edit it.
- We open the command line. It is advisable to do this with extended rights, that is, as an administrator.
- We execute the command:
- notepad C: \ Windows \ System32 \ drivers \ etc \ hosts
- A file opens in which we enter the following line:
- 168.0.1 srvr1.domain.com srvr1
Thanks to her, the folder will become available. - You can open it using the "Run" line. Press Win + R, enter: After that, a folder will open to us.
Closed folder
The configured Samba server can also be used to create network folders with limited access... You also need to create such a folder first and then add it to the Samba configuration.
Make a folder called "Closed":
$ sudo mkdir -p / samba / allaccess / closed
We make a special group that can have access to this folder:
$ sudo addgroup securedgroup
We create special rights for different groups:
$ cd / samba / access
$ sudo chown -R richard: securedgroup closed
$ sudo chmod -R 0770 closed /
Just as in the case of an open folder, add information to the configuration:
path = / samba / access / closed
valid users = @securedgroup
guest ok = no
writable = yes
browsable = yes
We restart the server.
As you can imagine, we made a Closed folder inside Access. Thus, Access can be opened by every user of the local network, but in order to view and edit Closed, you need to have special rights.
To make sure everything works exactly as we specified in the batch file, there are a few simple steps you can take.
We create a user and add it to our closed group:
$ sudo usermod -a -G securedgroup winston
Our user name is like a pack of cigarettes (or British Prime Minister).
We make a password for Winston:
$ sudo smbpasswd -a winston
After that, we will be prompted to enter a new password in order to log in again under the newly created account. Do not forget to reboot after this. Now you know how to set up a server via Samba in Ubuntu.
Of course, Samba's capabilities are not limited to the creation of simple folders. But these simple instructions and examples show you what you can do with this program. This will be the first step towards understanding what server PCs are and how they control them.
Linux is a great operating system, but we’re not going to get away from Windows, and neither is it from us. Windows will always surround us - whether it is a home, corporate network or an Internet cafe. We constantly have to exchange documents with Windows computers - after all, not all users prefer to work in Linux. Having at its disposal a server on Linux , in any case, there will be a need to interact with Windows computers, so we will talk about connecting Linux to the Microsoft network.
Installing Samba
To install Samba, we need to install the samba and samba-client packages. It is also advisable to install the smbfs package. In addition, the system will update the samba-common package, which may already be installed on the system. All my manipulations will be carried out on Ubuntu 10.04, the main difference from other distributions is the installation method. For Ubuntu through the console, this way:
$ sudo apt - get install samba
Or using the Synaptic package manager, which I did, this option turned out to be more convenient for me, since I could select from the list those packages that I needed, these were:
samba
smbclient
samba-common
If you've used a different Linux distribution in the past, you're probably familiar with the LinNeighborhood program. It is a graphical program that allows you to view Windows network resources. There is no need for it in Ubuntu. First, the standard GNOME tools allow you to browse Windows networks. And secondly, for the sake of interest, the LinNeighborhood program was installed from one of the Ubuntu repositories. It turned out that this program, found by Synaptic, is not usable at all (localization issues). Well, okay, it makes sense to figure it out if there are excellent standard tools that already work.
Basic Samba setup
At this stage, we will assume that the utility is installed. The main Samba configuration file is /etc/samba/smb.conf. You need to open it and change several parameters. The first one is workgroup - it sets the name (of your choice) of the NT workgroup or domain:
WORKGROUP = MyHomeGroup
You can also set the comment parameter - this is a description of your computer:
comment = My Linux computer
Set the security parameter. If the network is client / server, then you need to select the server parameter, and ifpeer-to-peer network (i.e. a network without a dedicated server), then you need to select user or share:
security = share
Set the name of the guest account like this:
guest account = guest
You also need to configure encodings:
client code page = 866
character set = utf8
To make Samba run faster, set the following options:
socket options = TCP_NO DELAY SO_RCVBUF = 8192 SO_SNDBUF = 8192
dns proxy = no
The interfaces parameter specifies the interfaces on which the Samba service should run. It is necessary to specify the interfaces that connect our machine to Windows networks:
interfaces = 192.168.0.22/24
Configuring Shares
Now it remains to configure the resources that we want to provide for general use, this is the [ public].
# general directory
comment = Public Directory
# way
path = / var / samba
# not only reading
read only = no
# allow writing
writable = yes
# allow guest access
guest ok = yes
# allow viewing directory contents
browseable = yes
In this case, the / var / samba directory will be a shared resource on our computer (you need to create it, since there is no such directory on the system by default). Other users will be able to write their files to it (read only = no, writeable = yes), of course, they will be able to read them (browseable = yes). You do not need to check the username and password to access the resource (guest ok = yes) - the so-called guest access is used. The comment "Public Directory" will be seen by other users of the Windows network when viewing the resources of our computer.
If there is a need to provide general access ("share") to the user's home directories, then go to the section ;. Uncomment all lines commented out with a semicolon before the line ;. T . e. you should get the following:
comment = Home Directories
browseable = no
valid users =% S
writable = no
create mask = 0600
directory mask = 0700
For now, custom directories will not be visible in the list of shared resources, you can refer to them at \\ server \ username ... For example, \\ server \ petya. If you want the user resources to be browseable, then set the browseable parameter to yes:
browseable = yes
After all the changes, save the configuration file and start (or restart - restart) Samba:
$ sudo /etc/init.d/samba start
Viewing Windows Network Resources
You can view the resources of the Windows network using the smbclient program, but it works in text mode, so it is not very convenient to use. It is much more convenient to use a file browser to browse network resources. This can be done using the menu Transition | Connect to server ...
Samba Optimization Secrets
Now let's talk about how to make Samba run a little faster. If you open the smb.conf configuration file, you will find the wide links parameter in it. Never install it in no ! This will significantly reduce the performance of Samba. On the contrary, you need to set it to yes (if the wide links parameter was disabled before), which will significantly increase performance.
The wide links parameter determines how Samba follows symbolic links. If wide links = no, then Samba will not follow symbolic links outside the exported area. Samba first follows a symbolic link and then executes a so-called directory path lookup (a system call that determines where the link ended). This operation implies 6 more system calls than if wide links = yes. Considering that there are a lot of such operations being done, disabling wide links decreases Samba performance by about 30%.
Configuring the SAMBA file server is relatively simple; for the service to work correctly, you need to configure only one file - smb.conf. This file defines which system resources are allowed access to the outside world, and what restrictions exist on the use of these resources.
The configuration file is in text format and is divided into sections. Each section starts with a section heading such as, etc. All section names in the smb.conf file are enclosed in square brackets.
This section defines the variables that Samba will use to determine access to all resources. All other sections describe a separate server resource.
A dedicated section allows remote users to access their home directories. So if Windows users try to connect to this partition from their Windows machines, they will be connected to their personal home directories.
Individual records in sections are specified according to the formula name = value.
The following is a description of all the variables, the values of which can be set in the configuration file.
Variable substitution
Before describing the smb.conf file, this section describes the use of variable substitution. It can be used on many lines in the smb.conf file. Samba performs substitutions before processing the command.
Below is a list of all possible substitution variables:
-% S The name of the current service,
-% P Root directory of the current service,
-% u User of the current service,
-% g Main group% u,
-% U Username for the session (may be different from the name requested by the client),
-% G Main group% U,
-% H User's home directory,
-% v Samba version,
-% h Name of the host that Samba is running on,
-% m NetBIOS name of the client computer,
-% L NetBIOS server name. This variable can be useful if you run multiple NetBIOS servers on the same Samba server;
-% M Hostname for the client computer;
-% R Protocol level selected after connection establishment; -% d Number of the current server process;
-% a Client operating system (value may not be correct).
Currently, systems such as Samba, Windows for Workgroups, Windows NT, and Windows 95 are recognized. If the system is unknown to Samba, the value is UNKNOWN.
-% I IP address of the client machine;
-% T Current date and time.
Base options
The main parameters on the advanced settings page determine how the Samba server looks from the client side and in which workgroups and networks it is available. All major parameters are discussed below.
Workgroup parameter
The default is workgroup. This parameter determines which workgroup the server will be in. Upon receiving a request from a client, the Samba server will report that it belongs to the workgroup specified by this parameter.
This parameter is also used to set the domain name (the security parameter is set to domain) if the Samba server must connect to an NT domain or Samba itself is used as a domain controller.
The following example installs the bee-hive workgroup:
Workgroup bee-hive
NetBIOS name parameter
By default, Samba uses the computer's DNS name as the NetBIOS name of the server. If you are not using DNS this field will be blank.
This parameter sets the NetBIOS name of the Samba server. By default, it is the same as the first component of the DNS hostname.
The following example sets the NetBIOS name sugar:
Netbios name sugar
NetBIOS aliases parameter
The default is an empty string (no aliases).
The parameter is intended to create a group of NetBIOS names that nmbd will advertise as additional names for which the Samba server can provide services. However, even if the computer is running as a browser server or logon server, these names are not advertised as the names of the view server or authorization server; only the main NetBIOS name of the system will be the name of the view server or authorization server.
The following example creates the NetBIOS aliases sweetie and honey:
Netbios aliases = sweetie honey
After you set this parameter, the server will respond not only to its main name (sugar), but also to the names sweetie and honey.
Server string parameter
By default, the server description line is the Samba version number (the corresponding value in the smb.conf file is samba% v). Another substitution variable that is convenient to use in the server description line is% h (it specifies the name of the host on which the server is running). The parameter determines which text string will appear on clients as a comment to the server when browsing the network, as well as when executing the net view command. Any string can be used as a value.
The following example sets the sugar server description string to Sugar - The Bee-Hive Workgroup:
Server string = SuSe Samba Server
The interfaces parameter
This parameter allows you to specify multiple network interfaces so that the Samba server can properly use the browsing service. The parameter value is a list of pairs IP address - subnet mask. The subnet mask can be specified in one of two types - bitwise or length.
For example, the following line:
Interfaces = 192.168.100.240/255.255.255.0 192.168.200.250/255.255.255.0
specifies two network interfaces with IP addresses 192.168.100.240 and 192.168.200.250. The subnet masks for these interfaces are the same and are set to 255.255.255.0.
The same effect can be achieved with the line:
Interfaces = 192.168.99.24/24 192.168.200.250/24
The interfaces parameter allows you to use both formats.
If this parameter is not specified, then Samba tries to find the primary interface, but will not use additional interfaces. If your computer does not have several network cards installed, then leave this parameter empty; Samba will find your network card and will automatically detect the IP address and subnet mask.
If you have two or more NICs, also read the description of the bind interfaces parameter below.
Bind interfaces only parameter
This global parameter allows you to restrict the list of computer network interfaces for which SMB requests will be processed. The smbd file service and the nmbd naming service use the value of this parameter slightly differently.
The nmbd service uses ports 137 and 138 of the network interfaces specified in the interfaces parameter, as well as ports 137 and 138 for address 0.0.0.0 in order to receive broadcast messages. If bind interfaces only is not set, then nmbd handles all requests to the naming service on these sockets. If the parameter is set to yes, then the sender address is checked for packets received on the broadcast socket, and the request is processed only if this address is in one of the subnets specified by the interfaces parameter; in addition, processing of packets arriving through interfaces not specified in the interfaces parameter is not performed. However, this is not a security method. IP spoofing is a well-known method to bypass this simple check.
For the smbd service, if the bind interfaces only parameter is set to yes, only requests from the interfaces specified in the interfaces parameter will be processed. This limits the list of networks for which SMB requests are processed. You must also add 127.0.0.1 to the address list in the interfaces parameter. The IP address 127.0.0.1, also called local address, is the default address for testing and other functions for all Ethernet cards. If you do not include this address in the interfaces parameter, the local means of interacting with the service may behave in unpredictable ways.
Parameter default value:
Bind interfaces only = No
To set a parameter, change this line to the following:
Bind interfaces only = Yes
These parameters determine how the smbd service responds to client requests. All of the options below help you protect your system and hide the differences between Windows and UNIX. We have already discussed one of the parameters in the previous section - the workgroup parameter when using the NT domain security policy can also be referred to as security parameters.
Security parameter
The default value is security = user, as it is most commonly used when interacting with Windows 95/98 and Windows NT. If the usernames on your client machines are the same as theirs on the UNIX server, then you should use
security = user. However, in this case, it is more difficult to create shared disks for public access. Regardless of which option you choose for your network, the interaction between the client and the server follows the scheme described below. The server follows this procedure to determine if it will allow a connection to the shared resource. If all steps fail, the connection will be refused. If one of the steps was successful, the following steps are skipped:
1) if the client has passed the name / password pair and the security system of the Fenix AIA has confirmed its correctness, then the connection is made under the given username. This option includes the NT method of passing the username along with the share name: \\ sugar \ sharel edwardb;
2) if the client specified a username when establishing a previous connection and this time passed the correct password for this name, then the connection is allowed;
3) the client's NetBIOS name and all previously used usernames are compared with the transmitted password. If the password matches one of the names, the connection is allowed; 4) if the client previously transmitted the username / password pair, and it was recognized by the server as correct, then the connection for this username is allowed. If the revalidate parameter is set to yes, then this step is skipped;
5) if a list of users is specified in the smb.conf file using the user parameter for a shared resource, an attempt to connect to which is being made, and the client has passed the correct password for one of the users, then the connection for this user is allowed;
6) if the shared resource is a resource for public access, then a connection is made under the username specified for this resource using the guest account parameter, regardless of the password passed.
The security parameter has four available values:
Security = user (user-level security);
security = share (resource-level security);
security = server (server-level security);
security = domain (domain-level security).
The default is security = user. User-level security requires the client to connect to the shared resources using the correct username and password (the correspondence of which to the usernames of the Phoenix AIA can be specified using the username map parameter). This security mode can also use encrypted passwords (see the encrypt passwords parameter). If parameters such as user and guest only are set, then they are applied and can change the name of the user with whose rights the connection is established - but this happens only after successful user authentication. This is due to the fact that the name of the resource, the connection request to which is made, is sent to the server only after the client has successfully authenticated. That is why publicly available resources will not work when using user-level security without automatically mapping users unknown to the server to the guest account (see the map to guest parameter, Security options, 6).
Security = share does not require clients to connect to the server using a username and password before attempting to connect to the shared resource. Windows 95/98 and Windows NT clients, when connecting to a server that uses resource-level security, will still send an authentication request with a username but no password. Authentication passwords are sent by clients for each resource separately, directly when trying to connect to it. The smbd service always fulfills client requests on behalf of an existing AIA Phoenix user, even when using resource-level security. The smbd daemon uses several methods to determine which particular user it should be running as a given request. First, a list of possible users is created to check the password, then the password is checked:
If the smbd parameter is set, then all other stages are skipped and only the name of the guest account is checked.
If, when requesting to connect to a shared resource, the client passed a username, this username (after being mapped to local names, see the username map parameter) is added to the list.
If the client has connected to the server before, then the name it used during the previous connection is added to the list. The name of the resource the client is requesting to connect to is also added to the list as the username. The NetBIOS client name is also added to the list.
If the guest only parameter is not set, then a check is made that the password specified by the client matches all names from the list. The first user from the list for which this password matches will be the UNIX user on whose behalf smbd runs.
If the guest only parameter is set or the username corresponding to the password is not found, then a check is made to see if the requested resource is publicly available.
If the resource is publicly available, then smbd runs on behalf of the guest user, otherwise the connection will be refused.
In the security - server mode, Samba tries to check the correctness of the password for the given username by passing them on to another SMB server (possibly an NT system). If the check fails, then Samba switches to using user-level security (security = user).
From the client's point of view, security = server is no different from security = user. The only difference is how the server authenticates. Remember that the name of the resource requested by the client is not sent to the server until the user is successfully authenticated. This is why publicly accessible resources will not work with server-level security, unless you allow the server to automatically map unknown users to the guest account (see the map to guest parameter).
The security = domain mode only works correctly if the Samba server was added to the Windows NT domain using the smbclient program. It is expected that using this mode will enable encrypted passwords (see encrypted passwords). In this mode, Samba tries to validate the password by passing it to the primary or secondary domain controller, just like Windows NT does. From the client's point of view, security = domain is no different from security = user. As in the case
security = server, the name of the requested resource is not sent to the server until the authentication is successful. This is why publicly accessible resources will not work under domain-level security unless you allow the server to automatically map unknown users to the guest account (see the map to guest parameter).
The default is:
Security = USER
To set up domain-level security use:
Security = DOMAIN
Encrypt passwords parameter
This parameter specifies whether encrypted passwords should be used when communicating with the client. Windows NT 4.0 SP3 and later, and Windows 95/98 by default (unless you make special changes to the registry) expect encrypted passwords to be used. Unless you have legacy applications that only run Windows for Workgroups or DOS clients, set encrypt passwords = yes. (Do you really want to edit the registry on every client?).
Default value:
Encrypt passwords = No
To enable encrypted passwords, change this line to:
Encrypt passwords = Yes
Update encrypted parameter
This parameter is intended for those administrators and users who are migrating from older versions of Samba or Windows. It allows you to make a gradual transition to using encrypted passwords - without the need for each user to re-set their password using the smbpasswd program at the time of transition. If all users already have an encrypted representation of their password in the smbpasswd file, this parameter should be set to No. For Samba to work properly, when the smooth transition to encrypted passwords is enabled (Update encrypted = yes), the encrypt passwords parameter must be set to yes.
Default value:
Update encrypted - No
To enable smooth transition to encrypted passwords, change this line to:
Update encrypted - Yes
Map to guest parameter
This parameter is very important when using security at the user, server, or domain level. The fact is that in these modes the name of the requested resource will not be transmitted to the server until the user has successfully authenticated. The parameter can take three different values, which determine the behavior of smbd in the event that the username specified by the client does not match any of the UNIX system usernames:
- never is the default. Access for users who specified an incorrect password will be denied;
- bad user access for users who specified an incorrect password will be denied if the specified username is available in the Phoenix AIA. Otherwise, the user is considered a "guest" and gets the rights of a guest account;
- bad password all users who have specified an incorrect password are considered "guests" and receive the rights of a guest account. Do not use this mode. If it is enabled, then the user who typed their password incorrectly connects to the system as a "guest" without any warning and as a result cannot access their files.
Default value:
Map to guest = never
To change the value of the parameter to bad user, use:
Map to guest = bad user
The null passwords parameter
This parameter allows or denies client access to accounts for which no password has been set. This is another option that should not be enabled.
Default value:
Null passwords = No
To enable the parameter, change this to:
Null passwords = Yes
Password server parameter
This parameter allows you to specify the name of another SMB server. When operating in domain-level security or server-level security, Samba will check the correctness of names / passwords using the specified remote server. You must specify the NetBIOS server name as the value for the parameter. If the NetBIOS name of the server is different from its Internet name, specify the server name in the lmhosts file (it is located in the same directory as smb.conf). The password server address is determined using the methods listed in the name resolve order parameter, in that order. The password server must be a system capable of using the LM 1.2X002 or LM NT 0.12 protocol, and the server must operate in a user-level security mode. Do not tell your
Samba server to itself as a password server! This can cause loops and hang your server.
If you are using domain-level security, then the parameter discussed should specify the name of your primary or secondary domain controller. In this case, you can specify a list of names as the value of the password server parameter, and smbd will try to access these servers one by one until it receives a response from one of them. This is useful if your primary domain controller has suddenly gone down.
If you are using server-level security, there are additional restrictions. Again, you can specify a list of names for the password server value; however, if one of the listed servers fails, it will no longer authenticate users. This is a limitation of the SMB / CIFS protocol and cannot be fixed in Samba.
By default, the parameter value is an empty string:
Password server =
To enable verification of usernames and passwords with the sugar and terrapin NetBIOS servers, specify:
Password server = sugar, terrapin
The root directory parameter
At startup, the server will make the specified directory its root directory. Changing the root directory from / to something else increases the security of the system. However, there is a price to pay for every security improvement. If you use this parameter, you can be sure that there is no way for the server to access files outside the directory tree starting at the specified root directory. This also applies to the files required for the normal operation of the server. In particular, you may need to create copies of the files usually found in the / etc directory.
Default value:
Root directory = /
To set the / opt / samba / home directory as root, use:
Root directory = / opt / samba / home
Username map parameter
The parameter sets the file containing the rules for mapping the client's usernames to the usernames of the Phoenix AIA. This parameter is for convenience only (think about the additional overhead of the display). If you are going to display the names of all users on clients, why not just create corresponding UNIX users for them? This is the best place to map an NT Administrator user to a UNIX root user (if you need cross-platform administrative access).
Each line of the file describing the mapping rules must begin with one username in the Phoenix AIA, followed by a list of names after the = sign. In this list, to designate an arbitrary name can be used special character*. The maximum length of one line is 1023 characters. There is no limit on the number of lines. The file with display rules is processed line by line. If the line starts with # or; - it is ignored. For example, to define the mapping of admin and administrator to root on UNIX systems, specify the following line in the file:
# entry for mapping NT-administrator to root
root = admin administrator
By default, displaying users is not enabled - the parameter value is an empty string:
In our example, the rules file is named user.map and is located in the / usr / local / samba / 1ib directory:
Username map = /usr/local/samba/1ib/user.map
Password level parameter
Some client-server combinations make it difficult to use passwords containing both upper and lower case letters. Most modern clients have no problem handling mixed case passwords. This parameter is actually intended to work with Windows for Workgroups, which requires an uppercase password when using the LANMAN1 protocol. The value of the parameter under discussion is a number that specifies the maximum possible number of uppercase characters in a password. The larger it is, the more likely it is that the upper case password will be considered correct, even though the real password contains both upper and lower case characters. You should be aware that using this option decreases the security of the system and increases the time it takes to establish a new connection. If your network has peg old Windows for Workgroups or DOS clients, leave this setting at the default (zero). In this case, only two passwords are checked - the password sent by the client, and the same password, all characters of which are converted to lower case.
For example, if the client sent the STRAW password and password level = 1, then if the password itself did not fit, the following combinations will also be checked:
Straw, sTraw, stRaw. strAw. Straw
If password level = 2, then passwords will also be checked:
STraw StRaw. StrAw. StraW. sTRaw. sTrAw.
Default value:
Password level = 0
The example below is set to 4:
Password level = 4
Username level parameter
This parameter, like the previous one, is intended for use by Samba with legacy clients. DOS clients always pass the username in uppercase. By default, Samba tries to use a lowercase name followed by a lowercase name with the first uppercase letter. If these two attempts to find the matching name on the UNIX system are unsuccessful, the client will be refused connection. However, if the username level parameter is nonzero, then Samba's behavior changes. The value of this parameter is the number of different name variations (obtained by converting individual characters to uppercase) that will be checked against the name on a UNIX system. How more number, the more combinations are checked. Again, as with the password level, using this parameter decreases both security and performance. The higher the value of the parameter, the slower the search for the name is. This parameter can be useful if your UNIX system has strange names like WhatALongStrangeNamenic or if you are using DOS or Windows for Workgroups clients.
Default value:
Username level = 0
Set to 5:
Username level = 5
Revalidate parameter
This option only works when using resource-level security (security = share). It determines whether Samba will allow a previously verified username / password pair to be used to connect to a new share. By default, connections are allowed without retesting. If you set the parameter to yes, then connect to \\ sugar \ lesh and finally try to connect to \\ sugar \ hart, Samba will not allow the client to automatically connect even though the client will send the same username as before.
Default value:
Revalidate = No
Revalidate = Yes
Username parameter
Another option for working with legacy DOS and Windows for Workgroups clients. As with password level and username level, using this parameter degrades system security and performance. The parameter value must be a list of usernames separated by commas. The password supplied by the client is checked against each of these names in turn.
Guest account parameter
This parameter sets the username used to access public resources (see guest of). The privileges of this user are given to any clients connecting to publicly accessible resources. The user specified as the parameter value should not be able to log on normally.
Guest account = nobody
To use ftp as a guest account, change this line to the following:
Guest account = ftp
Parameter invalid users
invalid users = administrator if you don't need cross-platform administration.
Invalid users =
Invalid users = administrator admin
The valid users parameter
Valid users = phil
The admin users parameter
Admin users = georgeh
Read list parameter
In order to enable phi! and cheese is read-only access, use:
Read list = phil cheese
Write list parameter
The default is an empty string (no user gets write access to read-only resources):
Write list = admin root
Hosts allow parameter
The value of this parameter is a list of nodes that are allowed to access the service. Comma, space and tab character can be used as separators. If specified in the globals section, then it applies to all shared resources; moreover, if access is denied for a specific resource for one of the hosts specified in the hosts allow list in the globals section, then access is still allowed. The nodes in the list can be specified by name, IP address, or IP address-subnet mask pair. When using the wildcard * to specify exceptions, the except keyword is also valid.
Hosts allow = localhost, 192.168. *. *
Hosts allow - localhost, 192.168.99.0/255.255.255.0
Hosts allow = localhost, terrapin, deal
Hosts allow - localhost, 192.168.99.0/255.255.255.0 except 192.168.99.222
Hosts deny parameter
Hosts deny - 192.168.111. *
Samba performs well logging of events and errors, allowing you to diagnose and fix problems that have arisen. As an administrator, you have a wide choice of what to log and where. When solving a complex problem, we may also need to increase the debug level, but keep in mind that Samba outputs a lot of information at high debug levels.
Log level parameter
This parameter is synonymous with debug level and sets the debug level. The default debug level is 0:
Debug level = 0
To set debug level 3:
Debug level = 3
Syslog parameter
The parameter sets the threshold value for sending messages to the syslog. Messages with a debug level lower than the threshold will be sent to the syslog.
Samba uses the following debug level values:
Debug level 0 corresponds to LOG_ERR;
- debug level 1 corresponds to LOG_WARNING;
- debug level 2 corresponds to LOG_NOTICE;
- debug level 3 corresponds to LOG_INFO;
- all higher levels correspond to LOG_DEBUG.
The default is 1:
To set threshold value 3 (LOG_INFO):
Syslog only parameter
If this parameter is set, then Samba sends debug messages only to the syslog, not writing them to its own log file.
By default, debug messages are both sent to the syslog and written to Samba's own log file:
Syslog only = No
To disable duplicate messages and send them only to the system log, set:
Syslog only = Yes
Log file parameter
This parameter allows you to change the default location and name of the Samba log file. You can use standard Samba substitution variables in the parameter value. The most commonly used:
-% m hostname,
-% u user.
The default is set at compile time:
Log file = /var/log/samba/log.smb
To use the log file /opt/log/samba/samba.log:
Log file = /opt/log/samba/samba.log
If the value of the log file parameter is:
Log file = /opt/log/samba/samba.%m
then for the deal node the log file will be named /opt/log/samba/samba.deal. This approach is useful when you are doing centralized logging for all servers.
Max log size parameter
This parameter specifies the maximum size of the log file. Its value is the size limit in kilobytes. Samba keeps track of the size of the log file, and if it exceeds specified value renames the file by appending the extension .old to its name. A value of 0 means that there is no size limit for the log file. Default value:
Max log size = 5000
To double the default log file size limit:
Max log size = 10000
Timestamp logs parameter
Samba, by default, marks all entries in the log file with a timestamp. This option allows you to disable the time stamp. Use it when you need to sort out a problem but don't need timestamps. Default value:
Timestamp logs = Yes
To turn off the timestamp:
Timestamp logs = No
Status parameter
Protocol options
This section describes the network protocol parameters, from version and block size to text that your server will use to identify its network shares. With these parameters, you can control how the Samba server looks from the perspective of Windows servers, tweak it to improve performance, and define how Samba finds network shares.
The protocol parameter
This parameter sets the maximum protocol level that the server will support; you do not need to change it. The correct protocol level will be found during the autodetection phase in the SMB protocol. Available parameter values:
- CORE The first version of the protocol. Currently not used;
- COREPLUS More efficient protocol, but very primitive;
- LANMAN1 Next version. Supports long names. The so-called LAN Manager protocol;
- LANMAN2 Several enhancements to the LAN Manager protocol;
- NT1 Current version protocol, also called CIFS (Common Internet File System).
Default value:
To use, for example, the LANMAN1 protocol, specify:
Protocol = LANMAN1
Read bpmx parameter
This parameter specifies whether smbd should support Read Block Multiplex capability, and is rarely used.
Default value:
To set this parameter, change its value to yes:
Read bpmx = Yes
Read raw parameter
This parameter specifies whether the server should support raw read smb requests when sending data to clients. The included support for such requests allows you to read 65,535 bytes in a single packet, which can significantly improve performance.
Default value:
To turn off support for "raw" reading, change the parameter value:
Write raw parameter
By default, this parameter is set to yes, which enables optimized low-level file writing. Some servers may not support this feature, and disabling it in this case will improve performance.
Default value:
Write raw = Yes
Changing the value can improve the performance of some servers:
NT smb support option
This parameter determines whether smbd should use the NT-specific features of the SMB protocol when working with NT clients. The parameter is considered intended for debugging.
Default value:
Nt support = Yes
To turn off NT-specific SMB feature support:
Nt support = No
NT pipe support option
This option controls whether the smbd daemon should allow NT clients to connect to NT SMB-specific IPC $ pipes and is considered a debug option for developers. Default value:
NT pipe support - Yes
To disable support for IPC $ channels, install:
NT pipe support - No
NT acl support parameter
This experimental parameter is set to no by default. It allows smbd to attempt to map Fenix Phoenix access modes to Windows NT ACLs. Default value:
NT acl support =
In order to enable the mapping of modes to access lists, set:
NT acl support - Yes
Announce version parameter
The parameter specifies the version numbers that nmbd will use when it advertises itself as a server. By default, the version number is 4.2. Do not change the value of this parameter unless you need to configure Samba as a downstream server for some reason. Default value:
Announce version = 4.2
To change the announced version to 2.0, set:
Announce version = 2.0
Announce as parameter
The parameter determines how nmbd advertises itself to be added to the watchlist. Samba 2.0 and later advertise itself as Windows NT by default. Do not change the value of this parameter (unless you want the Samba server to stop looking like an NT server), as this may cause the Samba server to stop showing up correctly in the watchlist.
Available parameter values:
- NT Advertise itself as a server for all modern Windows based clients (since Windows 95);
- Win 95 Also announce. itself as a server for all modern Windows based clients.
Default value:
Announce as = NT
To make the Samba server look like a Windows 95 server, specify:
Announce as = Win95
Max mux parameter
The parameter specifies the maximum number of SMB operations that the client can perform at the same time. You never need to change its value. Default value:
Below is an example of decreasing the limit value:
Max xmit parameter
This parameter sets the maximum packet size that the Samba server advertises when establishing a connection with a client. The default is the highest value possible, 65535. You may find that for your customers, using a lower value will improve performance. However, a value less than 2048 is likely to cause problems.
Default value:
Max xmit = 65535
Below is an example of reducing the maximum packet size:
Max xmit = 16384
Name resolve orde parameter
This parameter specifies the list of name services that Samba will use and the order in which they will be used. The parameter value is a list of services, space is used as a separator. The following services are available:
- lmhosts Search for an IP address in the lmhosts file on the Samba server;
- host Look up an IP address using the standard method of the operating system Samba is running on. In this case, for example, the hosts file or the DNS service can be used;
- wins Find an IP address by polling the WINS server. The most important advantage of WINS over other methods is that it uses a dynamic naming method rather than a static one. This means that the WINS server "listens" to the network and remembers the names of the active systems. If a WINS server is not specified in the Samba configuration file, this method is ignored;
- beast Search for an IP address using a broadcast request on all local network interfaces. Samba uses the interfaces parameter to select the interfaces. This method is the least reliable because the host being looked up must be connected to one of the local subnets.
Default value:
Name resolve order = lmhosts host wins beast
To perform a broadcast request after searching in the lmhosts file, specify:
Name resolve order = lmhosts beast host
If the IP address of the target host cannot be found either in the lmhosts file or using a broadcast request, the operating system will search for the address.
Max packet parameter
The parameter sets the maximum packet size that the Samba server can use. The default is the highest value possible, 65535. You may find that for your customers, using a lower value will improve performance. However, a value less than 2048 is likely to cause problems. Default value:
Max packet = 65535
To set the batch size to half the default size, specify:
Max packet = 32768
Max ttl parameter
The parameter specifies the time to live (TTL) in seconds for NetBIOS names that nmbd will use by default. The time is counted from the moment of the broadcast request or the request of the WINS server. You should not change the value of this parameter.
The default is 518,400 seconds:
Max ttl = 518400
To set the lifetime to three days (259,200 seconds), set:
Max ttl = 259200
Min wins ttl parameter
This parameter is only meaningful if your Samba server is configured as a WINS server. It sets nmbd to the minimum NetBIOS name lifetime (in seconds). You should not change the value of this parameter.
The default is 6 hours, or 21,600 seconds:
Min wins ttl - 21600
To set the minimum lifetime to 12 hours (43,200 seconds), set:
Min wins ttl = 43200
Time server parameter
If this parameter is set to yes, then nmbd will advertise itself to Windows clients as a time server. In this case, the daemon will not play the role of a standard time service and cannot be used for this purpose by UNIX clients.
Default value:
Time server = No
To enable the time service, set:
Time server = Yes
This section is displayed only on the Global Advanced page and is intended for setting parameters for fine tuning Samba. You can configure Samba to run in a specific environment by setting an inactivity time after which users will be disconnected from the server, specifying which socket options should be set, determining the size of the cache, and changing the values of many other parameters.
Change notify timeout parameter
The parameter determines how a change notify request is handled by the client to the server, asks the latter to track changes in a specific directory and respond to the request only when such changes occur. Implementing this persistent tracking on UNIX is quite resource intensive. To improve performance, the smbd daemon does not constantly check the state of the directory, but at the interval specified by the change notify timeout parameter. The parameter value specifies the interval in seconds. The default is 60 seconds:
Change notify timeout = 60
To check the status of directories every 10 minutes (600 seconds), specify:
Change notify timeout = 600
Deadtime parameter
The parameter defines the time of connection inactivity in minutes, after which the connection starts to be considered "dead" and is terminated (only if the number of open files for this connection is 0). This frees up server resources that could otherwise be depleted by a large number of inactive connections. Modern clients have the ability to automatically reconnect when the connection is broken, so the use of this parameter is transparent to users.
The default is 0 (no connections will be closed automatically):
To install maximum time of connection inactivity equal to five minutes, specify:
Getwd cache parameter
If this parameter is set to yes, then a special caching algorithm is used to reduce the execution time of certain system calls. For this parameter to have a significant performance impact, the widelinks parameter in the Miscellaneous Options section must be set to no.
Default value:
Getwd cache = No
To enable caching, install:
Getwd cache = Yes
Keepalive parameter
This parameter specifies the interval in seconds between sending packets to keep the connection (keepalive packets). These packets tell the server that the client is still on the network and capable of responding to requests. Most services use their own packages to maintain the connection.
The parameter value specifies the interval in seconds. Use this option when troubleshooting problems.
The default is 0 (the server does not send packets to keep the connection):
To have the server send packets to keep the connection once a minute, specify:
The max disk size parameter
This parameter defines the maximum disk size that will be reported to clients. If you set it to 100, then all clients will appear to have no more than 100 MB of shared resources. The key word is "seem". This parameter does not limit the amount of data that you can put on disk; it only sets a limit on the amount that the server reports to the client in response to a request for the total disk space. This parameter is useful for getting around problems in software that does not support very large disks.
The default is 0 (no limit):
Max disk size = 0
To limit the size of disks reported to clients to one gigabyte, specify:
Max disk size = 1000
The max open files parameter
The parameter specifies the maximum number of files that each client can open on the server. In fact, this number also depends on the maximum allowed number of open files for one process in the UNIX system on which the Samba server is installed. The default is very high because Samba only uses 1 bit for each unopened file.
Default value:
Max open files = 10000
To reduce the limit to 5000 files, specify:
Max open files = 5000
Read size parameter
This parameter specifies the overlap of disk read / write operations with network read / write operations. If the amount of transmitted data exceeds the value of this parameter, the server starts writing them to disk before the entire packet is received from the network. This overlap works best when disk and network speeds are about the same. For this parameter, practically no experiments have been carried out that would have made it possible to determine its optimal value, but we can say that it varies greatly from system to system. If you specify a value greater than 65535, it will allocate memory that will never be used (since 65535 is the maximum packet size possible).
Default value:
Read size = 2048
In the example below, the value is doubled:
Read size - 4096
Socket options parameter
You can set socket options that are used when communicating with clients. Socket parameters allow fine tuning of connections at the network level of the operating system to achieve the best performance of the Samba server. You can set multiple supported socket options at the same time, if the operating system allows it. However, certain combinations of parameters can cause the Samba server to crash completely.
If you are not a TCP / IP guru, then do not change the default.
Samba supports the following socket options:
SO_KEEPALIVE
SO_REUSEADDR
SO_BROADCAST
TCP_NODELAY
IPTOS_LOWDELAY
IPTOS THROUGHPUT
SO_SNDBUF #
SO_RCVBUF #
SO_SNDLOWAT #
SO_RCVLOWAT #
Parameters marked with # require an integer as argument. Other parameters use the values 1 or 0 as an argument to enable or disable the use of this parameter, respectively (if the argument is not specified, then the use of the parameter is allowed).
In the example below, the size of the transmit buffer is increased to 8 MB (there should be no spaces around the second equal sign):
Socket options = SO_SNDBUF = 8192
If you are using a Samba server on a local network, try setting these parameters:
Socket options = IPTOS_LOWDELAY TCP_NODELAY
If you are using a Samba server on the WAN, try setting:
Socket options - IPTOS_THROUGHPUT
Default value:
Socket options = TCP_NODELAY
The stat cache size parameter
The parameter determines the number of entries in the static cache. You do not need to change its value. Default value:
Stat cache size = 50
To double the default value, specify:
Stat cache size = 100
Filename handling
In this section, you can set the rules for translating file names between the server and clients and for displaying long names on client computers.
Strip dot parameter
The parameter specifies whether periods at the end of UNIX names should be dropped. This may help to use some CDs with filenames ending with a period.
Default value:
To allow points to be dropped, specify:
Strip dot - Yes
Unix charset parameter
The parameter specifies the conversion map for file names.
Unix charset = koi8-r
Mangled stack parameter
This parameter specifies the number of mangled names to be cached by the smbd daemon. The server keeps a list of recently changed filenames and their extensions, if they are no longer than three characters or contain uppercase characters. The default is sufficient, unless you are using very long file and directory names on UNIX. Be careful: it may happen that a parameter to confirm its name will lead to corruption of long file names.
Default value:
Mangled stack = 50
To double the amount of memory allocated for the cache, specify:
Mangled stack = 100
Case sensitive parameter
Case sensitive = No
Case sensitive = Yes
Preserve case parameter
The parameter determines whether the new filenames received from the client are case-preserved. If you set the parameter to nо, the case of characters in file names will be changed to the default case.
Default value:
Preserve case = Yes
Preserve case = No
Short preserve case parameter
The parameter specifies whether the new filenames should be kept in uppercase and short in length, or if they should be converted to the default case. The parameter is meaningful if the preserve case parameter is set to yes.
Default value:
Short preserve case = Yes
Short preserve case = No
Mangle case parameter
Mangle case = No
Mangle case = Yes
Mangling char parameter
Default value:
Mangling char = ~
Mangling char = _
Hide dot files option
This parameter determines whether files with names starting with a period are considered hidden. By default, the commands for listing files in a directory do not display information about hidden files. Default value:
Hide dot files = Yes
Hide dot files = No
Delete veto files parameter
This parameter determines what happens when Samba tries to delete a directory that contains one or more vetoed directories. The default is no, which means that deleting a directory will fail if the protected directory contains regular files or directories. Most likely, these are the settings you need.
If set to yes, Samba will attempt to recursively delete all files and subdirectories in the protected directory. This means that when the parent directory is removed, all such directories will be removed transparently to the user. The user deleting the directory must have the appropriate permissions, or the deletion will fail, regardless of the value of the delete veto files parameter.
Default value:
Delete veto files = No
Delete veto files - Yes
Veto files parameter
The value of this parameter is a list of files and directories that are neither visible nor accessible to clients. However, keep in mind that if a directory contains only the files included in this list, it will be deleted along with all files if the user has the appropriate permissions on UNIX systems. In addition, the case sensitive parameter affects the interpretation of the value of the veto files parameter.
If you want to specify a non-empty list, then the / character is used to separate names in this list, which allows you to specify names containing spaces. The wildcard characters * and? Are allowed in the list. Each item in the list must be the name of a UNIX file, but cannot include the / character.
Veto files - /*.tmp/*root*/
Hide files parameter
The parameter value is a list of files and directories that are invisible but available to clients. For each of the files or directories matching the specified list, the DOS-attribute "hidden file" is set. The / character is used to separate names in this list, which allows you to specify names that contain spaces. The wildcard characters * and? Are allowed in the list. Each item in the list must be the name of a UNIX file, but cannot include the / character.
To hide all files ending in .log, install:
Hide files = o /*.log/
The veto oplock files parameter
Veto oplock files - /*.cookie/
Mangled names parameter
Name mapping allows clients to work with Phoenix AIA files (for example, copy a file from one system directory to another) while preserving their original long names.
If you have name mapping enabled for a shared directory, then two files with the same first five characters in the name can get the same name after being displayed, causing problems. The chance of this trouble happening is 1 in 1300.
Default value:
Mangled names = Yes
Mangled names = No
Mangled map parameter
This parameter allows you to directly set the map of displaying the names of files of the AIS "Phoenix", which are not compatible with DOS / Windows. If you do not want to use name mapping for all files, this option is quite useful.
Let's give one example describing a common situation. UNIX systems typically use the .html extension for HTML files, while Windows / DOS use the .htm extension. The discussed option allows you to map a UNIX-extension .html to a Windows-extension .htm.
Default value:
Mangled map = (* .html * .htm)
Stat cache parameter
This parameter determines whether the smbd daemon should use the cache to speed up case-insensitive file name lookups. By default, the parameter is checked, you should not change its value.
Stat cache = Yes
Domain options
This section allows you to set the values for the parameters associated with the NT domain.
Domain groups parameter
The default is an empty string:
Domain groups =
Don't change it.
Domain admin group parameter
Default value:
Domain admin group =
Don't change it.
Domain guest groups parameter
Default value:
Domain guest group =
Don't change it.
Domain admin users parameter
Default value:
Domain admin users =
Don't change it.
Domain guest users parameter
Default value:
Domain guest users =
Don't change it.
The machine password timeout parameter
This parameter is only meaningful if domain-level security is used (security = domain). It specifies when smbd will change the password for the computer account. The value specifies the interval in seconds. The default is one week (604,800 seconds, which is the default for computers in a Windows NT domain):
Machine password timeout = 604800
The default value matches the behavior of Windows NT-based systems. Don't change it.
Logon options
This section describes the options that you can use to set options that determine how clients connect. These settings can be used to update user directories, automatically map network drives for users, and simplify account administration. The options listed below work well with all clients and are not part of the NT Domain Server code.
Logon script parameter
The parameter allows you to specify the name of the file that will be downloaded to each client and executed there after logging into the domain. You can use standard substitution variables in the parameter value, which allows you to specify different logon scripts for different users or workstations. Note that your login script must use DOS-style line endings. The script file must be located in the directory specified as the path for the netlogon resource. Don't allow write access to the netlogon resource! The content of the script file can be anything, you can put anything there - from synchronizing the clock with a time server to connecting shared drives for shared applications. For example:
NET TIME \\ SUGAR / SET / YES
NET USE W \\ SUGAR \ workutils
NET USE Y \\ SUGAR \ datafiles
NET USE Z \\ SUGAR \ accounts
The default logon script parameter is an empty string (no logon script file):
To set the setenv.bat file as the login script file:
Logon script = setenv.bat
The following is an example of using the standard substitution variable% U (specifying the username). With this variable, you can create custom scripts for users:
Logon script =% U bat
Logon path parameter
This parameter is only used if Samba is acting as a domain login server and roaming is configured for user profiles. The parameter specifies in which directory the profiles are stored. The parameter value can use standard substitution variables, which allows you to specify different logon scripts for different users or workstations. The directory specified in the parameter value will also be used to load the desktop, Start menu, Network Neighborhood, and the Programs folder for your Windows 95/98 clients. This shared resource (and its corresponding directory) must be readable by the user, or the Windows 95/98 client will not be able to load the custom settings. The shared resource must be writable by the user at least the first time he logs on to the domain. After the first logon to a domain, directories and their contents can be set to read-only access. However, do not set the user.dat file to read-only mode, as it contains user settings and the user might want to change them. Instead, rename the file to user.man and set the file to read-only mode. (Such a file is called a mandatory profile) Default value:
Logon path = \% N \% U \ profile
To specify that user profiles are located in the \ HOME \ username directory on the DEAL server, specify:
Logon path = \\ DEAL \ HOME \% U \ PROFILE
Logon drive parameter
This parameter is only used if Samba is acting as a domain logon server for NT-based workstations. The parameter specifies the local directory that will act as the user's home directory. The default is an empty string (no directory specified):
To set your home directory as drive H :, use:
Logon drive = h
Logon home parameter
This parameter specifies the location of the home directory when a Windows 95/98 or NT workstation is part of the domain in which the Samba server is the PDC. The parameter value can use standard substitution variables, allowing you to define different home directories for different users or client computers.
The following is an example that specifies the name of the home directory server, but uses the name of the user who established the session to specify the directory itself:
Logon home = \\ deal \% U
Domain logons parameter
This parameter determines whether Samba will act as a domain connection server for Windows 95/98 based clients. A domain logon server for Windows NT clients is not the same! Default value:
Domain logons = No
To enable domain join support for Windows 95/98 based clients, specify:
Domain logons = Yes
The browse options determine how your Samba server will play the role of the Windows network browse server. With these parameters, you can force Samba to always win local browsing server selections (or always lose them, or win over some operating systems and lose to others), as well as specify information about network resources that will be sent to all clients.
OS level parameter
This parameter specifies the value that Samba advertises as the operating system version when it selects a view server. The default value is chosen so that the Samba server will lose the election to any Windows machine. Default value:
The value set in the example below will cause the Samba server to win the election over any Windows server:
Lm announce parameter
This parameter specifies whether the nmbd daemon should broadcast Lanman announcements (this is required for OS / 2 clients). If the parameter is set to false, then OS / 2 based clients will not see the Samba server in the browse list. The parameter can take one of three values:
- true to receive and respond to broadcast Lanman announcements;
- auto respond if broadcast Lanman announcements are found on the network;
- false Do not respond to broadcast Lanman announcements.
The default is to accept Lanman broadcasts and then respond to them:
Lm announce - auto
To prevent the Samba server from responding to broadcast Lanman announcements, set:
Lm announce = false
Lm interval parameter
If the previous parameter (lm announce) is set to one of the values - true or auto, then using the lm interval parameter you can change the interval between sending broadcast announcements. The parameter value is the interval in seconds.
Default value:
Lm interval = 60
To triple the interval between Lanman broadcasts, specify:
Lm interval = 180
Preferred master parameter
The parameter specifies whether nmbd should act as the preferred master browser for its workgroup. If set to yes, then immediately after starting nmbd initiates view server selections. By default, the server that initiated the election has some advantage. The OS level parameter discussed above is another way to influence election results.
If you set the preferred master parameter to yes, then set the domain master parameter to yes as well. Using preferred master = yes, domain master = yes, and OS level = 65 ensures that nmbd becomes a domain controller.
This setting can cause network performance issues if multiple servers on the same subnet are configured as Preferred View Servers. It doesn't matter if these servers are Samba, Windows NT, or Windows 95/98 - if configured as preferred browse servers, they will periodically try to become a browse server for the subnet. This leads to excessive broadcast traffic on the network and slows down the browsing process.
Default value:
Preferred master = No
In order for the Samba server to act as the preferred browsing server, specify:
Preferred master - Yes
Local master parameter
This parameter allows you to specify whether nmbd should participate in the selection of the view server for its subnet. If the parameter is set to software, then the Samba server will never try to become the view server. In this case, Samba will play all browse server selections and never become a subnet browse server.
Default value:
Local master - Yes
To disable this parameter, change the default value:
Local master - No
Domain master parameter
The parameter determines whether nmbd will support a wide area network (WAN) browse list. If set, then nmbd captures a special Net-BIOS name in the domain. This name identifies the server as the primary domain browse server for this workgroup. Local browse servers in the same workgroup, located on different subnets, will send their browse lists to nmbd and then request a shared browse list for the WAN. Clients will receive a browse list for the entire network from their local browse servers.
If your Samba server is part of a network containing Windows NT domain servers, do not change this parameter. Windows NT primary domain controllers capture the NetBIOS special name (workgroup specific). If the Samba server grabs this name before the domain controller, then cross-subnet browsing may work oddly or fail altogether.
Default value:
Domain master = No
To enable the parameter, set:
Domain master = Yes
Browse list parameterThis parameter has the opposite meaning to the domain master parameter and determines whether the Samba server will send the browse list to the browse server when creating a wide area browse list. When the browse list is sent, the Samba server also receives information about other servers.
Default value:
Browse list = Yes
You should not disable this option.
WINS options
This section describes the WINS parameters that determine how Samba interacts with WINS servers and whether the Samba server should act as a WINS server.
DNS proxy parameter
The parameter is only meaningful if the Samba server is acting as a WINS server and determines whether nmbd will forward name resolution requests to the DNS server if the name is not found in the WINS database. It is not a good idea to use this feature unless for some clients there is no other way to get information from the DNS. The problem is not performance (nmbd will start itself up again, creating a second process to handle DNS queries). Here's the problem: If a client looks up a network name in the WINS database, what is the likelihood that the DNS server will help him? The DNS server will receive the requested name no longer than 15 characters.
Default value:
DNS proxy = Yes
To disable the option and not forward name resolution requests to the DNS server, set:
WINS proxy parameter
This parameter determines whether nmbd will respond to broadcast name resolution requests if the names are owned by other nodes, but nmbd knows the answer. As in ordinary life, it is a bad idea to be responsible for someone. On the other hand, setting this parameter to yes can help you troubleshoot network problems. If your network services only work with the WINS proxy option set, double check all settings. Default value:
WINS proxy = No
To enable WINS proxy support, specify:
WINS proxy - Yes
WINS server parameterThis parameter specifies the IP address or DNS name of the WINS server on which nmbd will register the used names. If your network consists of multiple subnets, then the WINS server parameter must be set, otherwise network browsing will not work correctly. If the WINS server is part of your network, enter its IP address. Although you can use a DNS name instead of an address, do not do so (as performance may degrade or the setting will not work at all). Use an IP address.
The default is an empty string (no WINS server specified):
For example, if your WINS server address is 192.168.99.24, then set:
WINS server = 192 168 99 24
WINS support option
This parameter determines whether nmbd will act as a WINS server and should not be set to yes on more than one computer on your network. The value yes should only be used if your network is divided into subnets and on one of them you want the nmbd daemon on a specific computer to act as a WINS server.
Default value:
WINS support = No
To enable the parameter, specify:
WINS support = Yes
This section describes the parameters with which you can set the blocking parameters. Correct setting These settings will help improve the performance of the Samba server.
Locking parameter
This parameter determines whether the server will lock files when requested by clients, and is intended for use by the Samba developers. Do not change the value of this parameter. Setting it to no will cause all file lock and unlock requests to appear to clients to be successful, but not actually lock. If you disable locking either in the global settings section or on a specific shared resource, this will result in data corruption.
Default value:
Below is a really stupid example:
OLE locking compatibility setting
The parameter determines whether to enable the ability to lock the byte range in files. This capability provides compatibility with OLE applications. The locking mechanism used by Windows OLE can lead to crashes or other problems in certain lock managers used by Phoenix AIA. The default value allows Samba to negotiate lock requests from OLE applications and the Phoenix AIA lock manager. Default value:
OLE locking compability = Yes
In order to directly transfer requests for blocking from OLE applications to the blocking manager of the Phoenix AIS, specify:
OLE locking compability = No
Oplocks parameter
Default value:
Strict locking parameter
The parameter determines how the server handles file locking. If it is set to yes, then the server checks for the existence of a lock on the file on every read or write attempt and does not allow access if the file is locked. If the parameter is set to no, then the server checks for a lock on the file only at the request of the client. This is how the server behaves by default, as this method provides the best performance.
Default value:
Strict locking = No
Strict locking - Yes
Share modes parameter
Share modes = Yes
Miscellaneous options
This section is a collection of a mixture of a wide variety of options. Some of them allow you to customize the smb.conf file for a specific system, others allow you to make the Samba server visible on remote networks, and others allow you to determine what users connecting to the server will see.
Preload parameter
The parameter value is a list of services that the server should automatically add to the browse lists. This option is most useful for including home directory browse lists that would otherwise not be visible. The services in the list are separated by spaces.
The default is an empty string (no service is automatically included in watchlists):
Below is an example that automatically includes the share sugar and the sparc_printer in the browse list:
Preload = sugar sparc_printer
Lock dir parameterThe parameter defines the directory in which the lock files will be placed. These files are used by Samba to implement the functionality of the max connections parameter.
By default, a directory named samba is created in the / tmp directory to store lock files:
Lock dir = / tmp / samba
To place the lock files, for example, in the / var / samba / locks directory, specify:
Lock dir = / var / samba / locks
Default service parameter
The parameter specifies the name of the service to which the user will connect if the requested service is not found. There is no default value for this parameter. If the parameter is not specified, then the client will receive an error message when trying to connect to a non-existent service.
Typically, the default service is a public read-only shared resource.
The default is an empty string (if the requested service is not available, no other will be substituted for it):
Default service =
To connect clients requesting a non-existent resource to, for example, the access_tmp service, specify:
Default service = access_tmp
The message command parameterThe parameter specifies the command that is executed when the server receives a Win-Popup message. This command should deliver the message to the addressee. How exactly this happens depends on the set of services running on your server. For example, this command can send a message by mail, display it in a window, or simply delete it, but keep in mind that it is executed with the privileges of a guest account. If you come up with a messaging method that works well for your network, write to the Samba team about it.
You can use standard substitution variables in the value of the message command parameter. The following three variables are also defined for all messages:
-% s name of the file containing the message;
-% t addressee of the message (usually this is the server name);
-% f is the sender of the message.
The default is an empty string, that is, no message handling command is defined. In this case, Samba reports an error to clients trying to send a WinPopup message to the server.
Message command =
To simply erase all incoming messages, set:
Message command = rm% s
The valid chars parameter
The parameter specifies additional characters that will be considered by the server as valid in file names. It can be useful when using national alphabets. The parameter value must be a list of symbols, either in the form of their codes, or in the form of the symbols themselves. Individual characters are separated by spaces. If you separate two characters with a colon, they will be counted as one lowercase and uppercase character, respectively. In order for the parameter to work correctly, you must first set the correct value for the client code page. (By default, smb.conf lists the parameters in the correct order.) If you set the client code page parameter after valid chars, the value of valid chars will be overwritten. The client code page parameter was discussed above in the Filenames section.
It is difficult for any given system to create the correct list of characters to use as the value for the valid chars parameter. The Samba distribution includes a program to help automate this process. The validchars program automatically generates a complete valid chars string for a given client system. This program, the examples with the .out extension, and the sources are located in the examples / validchar subdirectory of the Samba directory.
The default is an empty string (no additional characters are considered valid in filenames):
Remote announce parameter
This parameter allows you to specify a list of IP-addresses by which the nmbd daemon will periodically advertise itself. Addresses can be on other subnets; also you can specify the name of the workgroup. If no workgroup name is specified, the Samba server workgroup name is used.
This option is useful if you need a Samba server to share resources with a remote workgroup and provides you with another way to manage your network browse lists.
The remote workgroup can be located anywhere - as long as you can send IP packets to it. If your network connections are stable, try setting this parameter to the IP addresses of the well-known view servers of the remote workgroup.
The default value is an empty string (no announcements are made to remote workgroups):
Remote announce =
Below is an example where nmbd advertises itself to the QandA and ENGINEERS remote workgroups:
Remote announce = 192.168.99.24/QandA 192.168.100.124/ENGINEERS
Remote browse sync option
This parameter only applies to the interaction of the Samba server with other Samba servers. It specifies whether the nmbd daemon will request synchronization of browse lists with the primary browse server, which is a Samba server on the remote network segment. This option allows the server to receive browse lists for multiple workgroups on routed networks, but it will only work correctly if the Samba server can send IP packets to the server it is supposed to sync with.
The default is an empty string (no syncing):
Remote browse sync =
Below is an example in which Samba will try to sync browse lists with Samba servers at 192.168.99.24 and 192.168.100.100.
Remote browse sync = 192.168.99.24 192.168.100.100
Note that Samba simply sends packets to the specified addresses. No verification is performed.
Socket address parameter
The parameter defines the address where Samba listens for connections. It is used to configure multiple virtual interfaces on one server. The Samba server on each of the interfaces can have its own setting.
The default is 0.0.0.0 (Samba will accept connections on all addresses):
Socket address = 0.0.0.0
For example, to have the Samba daemons listen for connections at 192.168.200.250, specify:
Socket address = 192.168.200.250
Time offset parameter
The parameter specifies the misalignment in minutes, which is added to Greenwich Mean Time (GMT), before the normal procedure for determining the local time. This is a deprecated option for older clients that cannot handle daylight savings time (DST).
The default is zero (no offset used):
Time offset = 0
If you have clients on your network that do not support daylight saving time, you can install:
Time offset = 60
Wide links parameter
The parameter determines whether Samba will allow clients to follow links in the UNIX file system to areas outside the exported directories. It is intended for paranoid sysadmins. If the access modes on your system are set correctly, setting this parameter to yes will not compromise system security.
The default value allows customers to follow any links:
Wide links = Yes
To disable this feature, set:
Wide links = No
Follow symlinks parameter
The parameter determines whether the smbd daemon will allow clients to follow symbolic links. If it is set to no, then users will receive an error message when trying to access a file or directory that is a symbolic link. At the same time, users will not be able to not only follow symbolic links, but also create them. This setting can improve the security of the system (for example, otherwise the user can create links to important system files in his home directory) The default value allows clients to follow symbolic links:
Follow symlinks - Yes
Follow symlinks = No
Delete readonly parameter
This parameter determines whether files with DOS read-only attribute can be deleted. The yes value allows the Phoenix AIA access modes to take precedence over DOS access modes, which is useful, for example, for applications such as version control system (RCS). A situation may arise in which the UNIX access mode prohibits changing the access mode to the file, and the DOS mode prohibits the deletion of this file.
Delete readonly = No
Delete readonly = Yes
DOS filetime resolution = No
This parameter allows Samba to "invent" directory creation times to make Microsoft Visual languages compatible with Samba shares. Even the newest file systems such as NTFS and Windows VFAT store creation times that are not the UNIX ctime (time of state change). By default, Samba tells clients the earliest timestamp supported by UNIX. This can cause the compiler to rebuild objects that have not changed. Setting fake directory create times to yes will cause Samba to always report midnight on January 1, 1980 as the directory creation time.
By default, Samba tells clients the UNIX creation timestamp:
Panic action parameter
This parameter is intended for use by Samba developers. It specifies the command to be invoked when smbd or nmbd crashes, notifying the developer that the changes made to the Samba code do not work as expected.
The default is an empty string:
3. SHARED RESOURCES
This section describes all the parameters for the resource.
Base options
In the main parameters section, you can set a comment for the shared resource and the path to it.
The comment parameter
The parameter will set the text that will be visible on clients as a comment for this shared resource.
The default is an empty string (no comment given):
comment =
Below is an example of a set comment for a resource:
Comment = Our server
Path parameter
The parameter defines the directory that will be shared. If you are configuring a print service rather than a file share, then the drive directory must be specified here. The path is specified from the root directory, which is defined among the global parameters in the section on security settings.
The parameter value can use standard substitution variables; for this parameter, the following two are especially useful:
-% u The name of the account of the AIA "Phoenix", with the rights of which the connection was made;
-% m NetBIOS system name.
The default is an empty string. If you have set the root directory of the operating system (directory /) as the root directory, then an empty line indicates this directory:
If the root directory is / opt / samba and you installed:
Path = / printer / spoolfiles
then the service will use the / opt / samba / printer / spoolfiles directory.
Security options
In this section, you define the access rights for users. Also you can define guest access to the resource here.
Revalidate parameter
This option only works when using resource-level security (security = share). It determines whether Samba will allow a previously verified username / password pair to be used to connect to a new share. By default, connections are allowed without retesting. If you set the parameter to yes, then connect to \\ sugar \ lesh and finally try to connect to \\ sugar \ hart, Samba will not allow the client to automatically connect even though the client will send the same username as before. Default value:
Revalidate = No
To enable mandatory password checking when connecting to each new resource, use:
Revalidate = Yes
Username parameter
Another option for working with legacy DOS and Windows for Workgroups clients. This setting degrades system security and performance. The parameter value must be a comma-separated list of usernames. Keep in mind that the setting does not place restrictions on which users can connect. It only tells the Samba server which usernames the password can match. The password supplied by the client is checked against each of these names in turn.
The default is empty string (no users):
Guest account parameter
This parameter sets the username used to access public resources (see guest ok). The privileges of this user are given to any clients connecting to publicly accessible resources. The user specified as the parameter value should not be able to log on normally.
The default is set at compile time; usually nobody:
Guest account = nobody
To use ftp as a guest account, change this line to the following:
Guest account = ftp
Parameter invalid users
The parameter value is a list of users who are denied access to the system. It's a good idea to install
invalid users = administrator if you don't need cross-platform administration.
By default, there are no users who are denied access. The parameter value is an empty string:
Invalid users =
To deny access to NT system administrators, use:
Invalid users = administrator admin
The valid users parameter
The parameter value is a list of users who are allowed to access the system. This parameter is optional. By default, its value is an empty string, which means that everyone is allowed access. If a user is specified both in the valid users list and in the invalid users list, then access to him is denied.
By default, the parameter value is an empty string, that is, all users are allowed access to the system:
To allow only phil user access to the system, use:
Valid users = phil
The admin users parameter
The parameter value is a list of users who have administrative privileges for the resources. The specified users can work with files on shared resources with root user rights. This is another parameter that should not be used.
By default, the parameter value is an empty string (no users with administrator privileges):
To give the user georgeh administrator privileges, use:
Admin users = georgeh
Read list parameter
The parameter is a list of users whose resources are available in read-only mode.
The default is an empty string (no user is restricted):
To give users phil and cheese read-only access, use:
Read list = phil, cheese
Write list parameter
The parameter is a list of users who are granted read-write access to resources, even if the resource is marked read-only. If a user enters both the read list and write list at the same time, then he gets access in the "read and write" mode.
The default is an empty string (no user gets write access to read-only resources):
To allow the admin and root users read / write access to read-only resources, use:
Write list = admin, root
Force user parameter
The parameter specifies the name of the UNIX account under which the user connects to the resource. Samba grants the given account the rights after the connection is established, that is, clients still need to provide the correct username and password. All file operations performed after connection will be considered performed by the user who corresponds to the account specified by the parameter. Think carefully if you want to use this option.
The default value is an empty string (users work with the resource on their own behalf):
For example, to run all operations on this shared resource with the credentials of the cheese account, set:
Force user = cheese.
Read-only parameter
The parameter determines whether the resource access mode is read-only. You must set it to no if you want to make the resource writable.
The default does not allow writing:
Read-only = Yes
To make a resource available for writing, install:
Guest only parameter
The parameter will not work if guest access is not allowed in the global parameters section or if the next parameter (guest ok) is set to no. Setting the guest only parameter to no does not deny guest access to the resource.
By default, not only guest access is allowed to the resource:
Guest only = No
To allow only guest access to this resource, set:
Guest only = Yes
Guest ok parameter
The parameter determines whether guest access to the resource is allowed. By default, guest access is denied, which means that clients must provide the correct username and password to connect:
To allow guest access to the resource, set:
The only user parameter
The parameter determines whether access to the resource is allowed to users who are not listed in the value of the user parameter.
Default value:
To allow access to the resource only to users specified in the value of the user parameter, specify:
Only user = Yes
Hosts allow parameter
The value of this parameter is a list of nodes that are allowed to access the service. Comma, space and tab character can be used as separators. If specified in the Globals section, then it applies to all shared resources; moreover, if access is denied for a specific resource for one of the hosts specified in the hosts allow list in the Globals section, then access is still allowed. The nodes in the list can be specified by name, IP address, or IP address-subnet mask pair. You can also list netgroups if your system supports them. When using the wildcard *. In order to specify exceptions, it is also permissible to use the except keyword.
If you use the hosts allow parameter, then you must include the local host, localhost, in the list of hosts that are allowed access. Samba requires access to the local interface to work as you'd expect.
In the following example, Samba access is allowed for the local host and all hosts with IP addresses 192.168. *. *:
Hosts allow - localhost, 192 168 * *
To allow access to the local host and hosts from the specified subnet, use:
Hosts allow = localhost. 192.168.99.0/255.255.255.0
To allow access to the local host and the two named systems:
Hosts allow - localhost, terrapin deal
To allow local host and subnet access with one exception:
Hosts allow = localhost, 192.168.99.0/255.255.255.0 except 192.168.99.222
The default is an empty string (all nodes are allowed access):
Hosts deny parameter
This parameter plays the opposite role of hosts allow. Nodes from the list specified with its help will be denied access to Samba. Even if it is indicated for a resource that access is allowed for a specific node, if this node is present in the hosts deny list in the Globals section, access will be denied.
The default is an empty string (all nodes are allowed access):
Below is an example denying access for the entire 192.168.111. * Subnet:
Hosts deny = 192.168.111. *
Logging options
This section currently contains only one parameter.
Status parameter
You should not change this parameter. If you set it to no, smbstatus will not be able to determine which connections are active. Default value:
An example of changing the value of this parameter (smbstatus will not be able to detect active connections!):
Additional tuning (Tuning options)
This section contains several settings for shared resources that can affect the performance of your Samba server. Correct tuning of these parameters can increase performance, while incorrect tuning can decrease it.
Max connections parameter
The parameter sets the maximum allowed number of simultaneous connections to the resource. The default value (zero) indicates that the number of concurrent connections is unlimited. Any other value will cause clients to be denied a connection to the resource if the number of connections already open matches this value. Samba uses lock files to do this. They are located in the directory specified by the lock directory parameter.
The default value does not limit the number of simultaneous connections to the resource:
Max connections = 0
To set the maximum allowed number of simultaneous connections to 100, specify:
Max connections = 100
Strict sync option
Use this option to smooth out the differences between how Windows clients view sync and how AIA Phoenix does. When writing buffers to the hard disk, in the Phoenix ZOS, the running process is stopped until the contents of the buffers are written. This is a very slow method. The use of this method was necessary in order to be sure of the safety of the data.
By default, smbd ignores sync requests from applications running on Windows clients. This means that if the server fails, there is a risk of data loss. In fact, at AIA Phoenix the chances of this are very slim. In addition, this behavior of smbd helps mitigate performance issues when copying files in Windows 98.
The default value of the strict sync parameter is no, which prevents smbd from writing buffers to disk when it receives a request from the client:
Strict sync = no
Setting this parameter to yes will decrease performance. Use only for troubleshooting:
Strict sync = yes
Sync always parameter
This parameter is ignored if strict sync is set to no. Otherwise, the parameter determines whether the process of writing to the disk should end before the server reports that the write request has been completed. If you set the parameter to yes, then after each write request is executed (but before execution is reported to the client), the fsync () system call is made to write the contents of the buffers to disk.
Default value:
Sync always = no
To force write to disk (strict sync must be set to yes), use:
Sync always = yes
File names
This section contains parameters that determine how the Samba server processes filenames and how it displays these names to users connecting to the resource from various clients. Also, some options allow you to hide certain files from users.
Default case parameter
This parameter specifies the default case for all files and directories created by clients on the Samba server. The value of this parameter affects how the mangle case, preserve case, and short preserve case options work.
By default, the names of files and directories created by clients on the Samba server are in lower case:
Default case = lower
To use uppercase, set:
Default case = upper
Case sensitive parameter
This parameter controls whether file names are case-sensitive (default is no). If the parameter is set to nо, then Samba searches for a filename regardless of case. Default value:
Case sensitive = No
To distinguish between names with different case of characters, specify:
Case sensitive = Yes
Preserve case parameter
The parameter determines whether the new filenames received from the client are case-preserved. If you set the parameter to the value by, then the case of characters in the file names will be converted to the default case.
Default value:
Preserve case = Yes
To enable automatic conversion of new filenames to the default case, set:
Preserve case = No
Short preserve case parameter
The parameter specifies whether the new filenames should be saved in uppercase and short in length, or if they should be converted to the default case. The parameter is meaningful if the preserve case parameter is set to yes.
Default value:
Short preserve case = Yes
In order not to preserve the case of characters in short names, specify:
Short preserve case = No
Mangle case parameter
The parameter determines whether names containing non-case-sensitive characters are changed (are mangled). For example, if the parameter is set to yes, then names such as Mail will change. Default value:
Mangle case = No
Setting yes will only affect filenames that contain uppercase characters. For example, the name FranklinsTower.txt will be converted to case by default.
To enable transformation, specify:
Mangle case = yes
Mangling char parameter
The parameter specifies which symbol will be used when changing file names. The default is tilde, but this setting can cause problems with some programs. You can install any other symbol instead.
Default value:
Mangling char = ~
For example, to use the underscore character, specify:
Mangling char = _
Hide dot files option
This parameter determines whether files with names starting with a period are considered hidden. By default, the commands for listing files in a directory do not display information about hidden files.
Default value:
Hide dot files = Yes
To show files starting with a dot in directories, install:
Hide dot files = No
Delete veto files parameter
This parameter determines what happens when Samba tries to delete a directory that contains one or more vetoed directories. By default, the value is used, that is, deleting a directory will fail if the protected directory contains regular files or directories. Most likely, these are the settings you need.
If set to yes, Samba will attempt to recursively delete all files and subdirectories in the protected directory. This means that when the parent directory is removed, all such directories will be removed transparently to the user. The user deleting a directory must have the appropriate permissions, or the deletion will fail, regardless of the value of the delete veto files parameter.
Default value:
Delete veto files = No
To change the parameter value, set:
Delete veto files = Yes
Veto files parameter
The value of this parameter is a list of files and directories that are neither visible nor accessible to clients. However, keep in mind that if a directory contains only files in this list, it will be deleted along with all files if the user has the appropriate permissions. In addition, the case sensitive parameter affects the interpretation of the value of the veto files parameter.
The veto files parameter affects the performance of the Samba server. If the parameter is set, the server must check all files and directories for compliance with the specified list.
The default is an empty string (no protected files and directories).
If you want to specify a non-empty list, then the / character is used to separate names in this list, which allows you to specify names containing spaces. The wildcard characters * and? Are allowed in the list. Each item in the list must be a filename, but cannot include the / character.
For example, to hide all files ending in .tmp and files containing the root string from users, specify:
Veto files = / * tmp / * root * /
Hide files parameter
The parameter value is a list of files and directories that are invisible but available to clients. For each of the files or directories corresponding to the specified list, the DOS-attribute "hidden file" is set. The / character is used to separate names in this list, which allows you to specify names that contain spaces. The wildcard characters * and? Are allowed in the list. Each list item must be a -file name, but cannot include the / character.
The hide files parameter affects the performance of the Samba server. If the parameter is set, the server must check all files and directories for compliance with the specified list.
The default is an empty string, that is, the "hidden file" attribute is not set for any files or directories.
To hide all files uploaded to .log, install:
Hide files = / * log /
The veto oplock files parameter
The parameter can only be used if the oplocks parameter is set for the shared resource. This option allows the Samba administrator to selectively disable oplocks for files. The list format is the same as for the veto files parameter. This parameter is useful if certain files are actively used by several different clients.
The default is an empty string, which means that timely locking is allowed for all files.
To disable the oplocks mechanism for all * .cookie files, specify:
Veto oplock files = / * cookie /
Mangled names parameter
This parameter determines how clients will see the Phoenix AIA files. Either files with non-DOS-compatible names will not be shown to users, or their names will be mapped to DOS-compatible names. There are five parameters in total that control how names are displayed. This parameter determines whether the display of names will take place at all.
Name mapping allows clients to work with files (for example, copy a file from one system directory to another) while maintaining their original long names.
If you have name mapping enabled for a shared directory, then two files with the same first five characters in the name can get the same name after being displayed, causing problems. The chance of this nuisance happening is 1 in 1300. Default value:
Mangled names = Yes
To disable the display of names, specify:
Mangled names - No
Mangled map parameter
This parameter allows you to directly set the map for displaying names that are not compatible with DOS / Windows. If you do not want to use name mapping for all files, this option is quite useful.
Let's give one example describing a common situation. Html extension is commonly used for HTML files on UNIX systems, while the .html extension is used on Windows / DOS systems. htm. The discussed option allows you to map a UNIX-extension .html to a Windows-extension .htm.
Default value:
To render html to htm:
Mangled map = (* html * htm)
Browse options
This section currently contains only one parameter.
Browseable parameter
This parameter determines whether the shared resource is visible in the list of available resources when browsing the network. This parameter does not make the resource unavailable - only invisible. By default, all shared resources are viewable.
Default value:
Browseable = Yes
To exclude a resource from the network browsing list, specify:
Browseable = No
Locking options
In this section, you can set file blocking options. Correct use of these parameters will improve server performance.
Blocking locks parameter
This parameter determines whether smbd can block a specific part of an open file at the client's request. Such a request also contains the duration of the requested lock. If the parameter is set to yes and the specified area of the file cannot be locked, Samba puts the lock request on an internal queue, and then periodically, before the timeout occurs, tries to execute it. If the parameter is set to the value on, then the client is immediately informed that it is not possible to complete the lock. If you use this parameter, it must be set individually for each shared resource.
By default, Samba will support requests to lock a portion of a file:
Blocking locks = Yes
To disable this option, specify:
Blocking locks = No
Fake oplocks parameter
You can use the fake oplocks mechanism for filesystems that are read-only to clients, or for shared resources that are available to exactly one client. Using fake oplocks on resources that are written to by multiple clients can lead to data corruption.
The essence of fake oplocks is that the client is told that the oplocks mechanism is supported, which is actually not the case. It is clear that if the resource is read-only, then nothing terrible will happen, although there will be no performance gain either. If a resource is only available to one client, then using fake oplocks is safe and can lead to some performance gain.
By default, the fake oplocks mechanism is disabled:
Fake oplocks = No
To enable it use:
Fake oplocks - Yes
Locking parameter
This parameter determines whether the server will block files when requested by clients, and is intended for use by developers. Do not change the value of this parameter. Setting it to no will cause all file lock and unlock requests to appear to clients to be successful, but not actually lock. If you disable locking either in the global settings section or on a specific shared resource, this will result in data corruption.
Default value:
Oplocks parameter
This parameter determines whether smbd will use the on-time locking mechanism (oplocks) when receiving requests to open files on shared resources. Using this mechanism can increase the speed of file access on the Samba server because it allows clients to cache files locally. Windows NT servers use this mechanism by default. On-time locking can be disabled for specific files located on specific shares by using the veto oplock files parameter.
Default value:
To disable the timely blocking mechanism, set:
Strict locking parameter
The parameter determines how the server handles file locking. If it is set to yes, then the server checks for the existence of a lock on the file on every read or write attempt and does not allow access if the file is locked. If the parameter is set to no, then the server checks for a lock on the file only at the request of the client. This is how the server behaves by default, as this method provides the best performance.
Default value:
Strict locking = No
To enable checking of the lock on every read / write operation, specify:
Strict locking = Yes
Share modes parameter
The parameter determines which access modes are used when opening a file. The client can request a mode of access, which implies an exclusive right to read or write. If you set the share modes parameter to no, then the Windows application will not be able to open the file.
The default is yes, which ensures that the shared resources are fully compatible with Windows applications:
Share modes = Yes
There is no point in changing this value.
Miscellaneous Options
In this section, you can set options that allow you to configure shared resources for users connecting to them. You can also specify which resource files are available to users.
Available parameter
The parameter determines whether this shared resource is accessible to users. If you set it to no, then all attempts to connect to the resource will fail (and will also be written to the log file). By default, the resource is available to users:
Available = Yes
To disable a resource, set:
Volume parameter
The parameter specifies the volume label for the shared resource. It can be useful when used as a CD-ROM share on a Samba server, if the Windows or DOS installation programs require a specific volume label.
The default is the name of the resource.
To set the volume label, for example CD_WIN, specify:
Volume = CD_WIN
Fstype parameter
The parameter specifies the type of file system that the Samba server informs clients for this shared resource. It does not affect the type of filesystem used.
The default is NTFS, for compatibility with Windows NT:
To have the Samba server tell clients that the resource is using the FAT file system, specify:
Set directory parameter
This parameter is used when working with Digital Pathworks clients. It indicates whether the client can use the setdir command to change directories.
The default is no because most of the clients are not Digital Pathworks clients:
Set directory = No
To enable interoperability with Digital Pathworks clients, install:
Set directory = Yes
Wide links parameter
This parameter determines whether Samba will allow clients to follow links in the Phoenix AIA file system leading to areas outside the exported directories. It is intended for paranoid sysadmins. If the access modes on your system are set correctly, setting this parameter to yes will not compromise system security.
The default value allows customers to follow any links:
Wide links = Yes
To disable this feature, set:
Wide links = No
Follow symlinks parameter
The parameter determines whether smbd will allow clients to follow symbolic links. If it is set to no, then users will receive an error message when they try to access a file or directory that is a symbolic link. In this case, users will not be able to not only follow symbolic links, but also create them. This setting can improve the security of the system (for example, otherwise the user can create links to important system files in his home directory).
The default allows clients to follow symbolic links:
Follow symlinks = Yes
In order to prevent clients from following links, install:
Follow symlinks = No
Dont descend parameter
The parameter specifies a list of directories that will appear empty to clients.
This setting is for convenience, not security. It affects the listing of directories, but not access to them. If the user has the appropriate permissions, he will be able to write or delete files in the specified directories. You can specify multiple directories by separating them with commas.
The default is an empty string (all directories are shown):
To make clients see the / dev and / proc directories empty, specify:
Dont descend = / proc, / dev
Delete readonly parameter
The parameter determines whether files with DOS-read-only attribute can be deleted. Setting yes allows Phoenix AIA access modes to take precedence over DOS access modes, which is useful, for example, for applications such as version control system (RCS). A situation may arise in which the access mode of the Phoenix AIS prohibits changing the access mode to the file, and the DOS mode prohibits deleting this file.
The default is no, which does not allow deleting read-only files:
Delete readonly = no
To enable deletion of read-only files, specify:
Delete readonly = Yes
DOS filetime resolution parameter
This parameter is used to troubleshoot problems that occur when using the DOS / Windows FAT file system. The best resolution that FAT can use for timestamping is 2 seconds. This can cause compatibility issues when using some software products (for example, the Microsoft Visual programming language series) with shared resources on the Samba server. The problem occurs when the on-time locking mechanism is enabled on a shared resource (see the oplocks parameter in the Locking Options section). However, a software product, such as one of the Microsoft Visual programming languages, uses two different calls to read the timestamp to check if the file has changed since it was last read. The first of these calls uses a resolution of one second, the second uses a resolution of two seconds, and rounds off the odd number of seconds to the lower even number. Therefore, if the file has a time stamp of an odd number of seconds, the results of the two calls will be different and the time stamps will appear to be mismatched. As a result, the software product will report that the file has been modified.
If the DOS filetime resolution is set to yes for a share, then Samba will round the timestamp down to an even number of seconds. In this case, Microsoft Visual products are happy and correctly report the file creation time.
The default is no (file creation time is not rounded off):
DOS filetime resolution = No
To have Samba round up file creation times by fooling products like Microsoft Visual programming languages, specify:
DOS filetime resolution = Yes
Fake directory create times option
This parameter allows Samba to "invent" directory creation times to ensure compatibility of Microsoft Visual programming languages with Samba shares. Even the newest file systems, such as NTFS and Windows VFAT, retain creation times that are not the same as the ctime (time of state change) used in the Phoenix Arena. By default, Samba tells clients the earliest timestamp supported by AIA Phoenix. This can cause the compiler to rebuild objects that have not changed. Setting fake directory create times to yes will cause Samba to always report midnight on January 1, 1980 as the directory creation time.
By default, Samba tells clients the creation timestamp used in the Phoenix AIA:
Fake directory create times = No
To have Samba tell clients a build time compatible with Microsoft Visual compilers, specify:
Fake directory create times = Yes
