- Table of Contents
- Copyright
- About the Lead Authors
- About the Contributing Authors
- Acknowledgments
- Tell Us What You Think!
- Introduction
- I. Red Hat Linux Installation and User Services
- Chapter 1. Introduction to Red Hat Linux
- Chapter 2. Installation of Your Red Hat System
- Chapter 3. LILO and Other Boot Managers
- Chapter 4. Configuring the X Window System, Version 11
- Chapter 5. Window Managers
- Chapter 6. Connecting to the Internet
- Chapter 7. IRC, ICQ, and Chat Clients
- Chapter 8. Using Multimedia and Graphics Clients
- II. Configuring Services
- Chapter 9. System Startup and Shutdown
- Chapter 10. SMTP and Protocols
- Chapter 11. FTP
- Chapter 12. Apache Server
- Chapter 13. Internet News
- Chapter 14. Domain Name Service and Dynamic Host Configuration Protocol
- Chapter 15. NIS: Network Information Service
- Chapter 16. NFS: Network Filesystem
- Chapter 17. Samba
- Installing Samba
- Getting a Simple Samba Setup Running
- Configuring Samba
- Configuring a Samba File Server with linuxconf
- Sharing Files and Print Services
- Optimizing Samba Performance
- Testing Your Configuration
- Running the Samba Server
- Accessing Shares
- Common smb.conf Options
- Samba Resources
- Using Samba as a Logon Server
- Samba Troubleshooting Tips
- Samba Security
- Using SWAT for Web-Based Samba Configuration
- Using Samba as a Linux Migration Tool
- Summary
- III. System Administration and Management
- Chapter 18. Linux Filesystems, Disks, and Other Devices
- Chapter 19. Printing with Linux
- Chapter 20. TCP/IP Network Management
- Chapter 21. Linux System Administration
- Chapter 22. Backup and Restore
- Chapter 23. System Security
- IV. Red Hat Development and Productivity
- Chapter 24. Linux C/C++ Programming Tools
- Chapter 25. Shell Scripting
- Chapter 26. Automating Tasks
- Chapter 27. Configuring and Building Kernels
- Chapter 28. Emulators, Tools, and Window Clients
- V. Appendixes
- A. The Linux Documentation Project
- B. Top Linux Commands and Utilities
- C. The GNU General Public License
- D. Red Hat Linux RPM Package Listings
Common smb.conf Options
There are hundreds of Samba options. For complete documentation, view the smb.conf man page with this command:
$ man smb.conf
An understanding of a few options suffices for most tasks. A discussion of those options and conventions follows. Note that many options are followed by (G) or (S), meaning they are intended for the [global] section or a share section, respectively.
Special Conventions
Many options expecting users as the value can also take groups. In these cases the value is the group name preceded by an at sign. For instance, group acct can be represented as @acct. The @ specifies to look for the group first in NIS, then in the local machine. Pre pending & says interpret as a NIS group only, and prepending + specifies local group only.
Several substitution characters can be used in smb.conf. They are all explained on the smb.conf man page. Two, %u and %H, are especially useful. %u will be substituted with the username, whereas %H will be substituted with the user's home directory. For instance, here's a share giving a document directory below /home/everyone to every user, as long as the sysadmin has created a directory with the user's username below /home/everyone:
[everyone] comment = Accessible to everyone path = /home/everyone/%u browsable = yes public = no writeable = yes create mode = 700
The preceding works only if root creates the user's subdirectory, mode 0700, and changes group and owner to that of the user. This is not the best way to accomplish this task. It's merely a demonstration of the %u substitution. Note that the directory creation could also be accomplished with a root preexec= script.
read only= Versus writeable= Versus writable= Versus write ok= (S)
writeable=, writable=, and write ok= are synonyms, meaning they completely substitute for each other. read only= is an inverted synonym for writeable=, writable=, and write ok=, meaning that a read only=yes substitutes for a writeable=no, and a read only=no substitutes for a writeable=yes, and so on. Only one of these four options needs to specify whether a share is writeable. If this option is specified in the [global] section, it serves as a default for all shares. (This is true of all options that can be put in share definitions.) Note that these options can be overridden by the write list= option.
read only=no writeable=yes writable=yes write ok=yes
All four mean the same thing and are interchangeable. The default is read only=yes.
valid users= (S)
The lack of this option or a blank value following the equal sign in any share makes the share accessible to everyone (probably not what you want). To limit access, place a comma-delimited list of valid users after the equal sign:
valid users = myuid, tackett, @acct
This option gives access to users myuid and tackett, and group acct. This option is overridden by the invalid users= option.
invalid users= (S)
This is a list of users who cannot access this share. This list overrides any users in the valid users= option for the share.
[ateam] valid users = myuid,tackett,art invalid users = myuid,tackett
This smb.conf snippet allows only art to access [ateam].
read list= (S)
The value is a list of users to be given read-only access. This overrides any read only=, writeable=, and so on, restricting the listed users to read-only access. If any user on the read list= list is also on the write list= option for the share, read list= is overridden and that user can write in the directory.
Does read list= override valid users=? That's an interesting question. When a user not appearing in an existing valid users= list for the share appears in the read list= list, that user is prompted for a password. No matter whose password is input, the user is kicked out. This behavior is exactly mirrored by Samba's smbclient program and Windows Network Neighborhood. Here is an example:
[spec_dir] path = /home/everyone/spec valid users = valerie,tackett writeable = yes read list = valerie,tackett,myuid write list = tackett
In this example, the /home/everyone/spec directory can be read by valerie and tackett, but not by myuid (no valid users= entry for myuid). User valerie cannot write the directory because her entry in read list= overrides the writeable= option. However, tackett can write it because his write list= entry overrides his read list= entry.
write list= (S)
Any share can have a list of users who can write to that share, no matter what the writeable= or read list= options say. Here's an example giving write access to [billsdir] for bill, tackett, and myuid, in spite of the fact that the directory is optioned to be read-only:
[billsdir] valid users = bill, tackett, myuid read only = yes write list = bill, tackett, myuid
path= (S)
This is the directory accessed through the share. In the case of a print share, it's the spool directory (spool here before submitting to the printcap printer, which may also have its own spool). Note that if the [global] section contains a root=, root dir=, or root directory=, the path= will be relative to the directory specified as the root.
create mask= and create mode= (S)
These two are synonyms. They specify the maximum permissions for a newly created file. The DOS permissions (read-only, hidden, and so on) will further restrict it. The default is 744, meaning user gets all rights, but group and other get only read. If the owner later marks the file read-only from DOS, the file's actual mode on the Linux box is changed to 544 to reflect the loss of write permissions.
browseable= (S)
The browseable= entry instructs the SMB client whether to list the share in an SMB client's browser (such as Windows Explorer). It does not grant access to users not in the valid users= list, nor does browseable=no deny access to users in the valid users= list.
If set to yes, the existence of the share can be seen even by those without rights to the share. If set to no, it cannot be seen even by those in the valid users= list. However, in clients that allow a user to access a share not listed (smbclient and net use, for instance), browseable=no does not prevent a valid user from accessing the share, as long as the user enters the proper command with the proper share name. For instance, look at the following smb.conf share:
[valsdir] comment = Valerie's special directory path = /home/everyone/valsdir browseable = no valid users = valerie
Execute the following command:
$ smbclient -NL 192.168.100.1
This is the yield:
Sharename Type Comment
--------- ---- -------
everyone Disk Accessible to everyone
IPC$ IPC IPC Service (Jacks Samba Server)
jacksdir Disk Jack's remote source code directory
lp Printer
myuidx Disk Myuid's remote source code directory
spec_dir Disk
valerie Disk Home Directories
Notice that share valsdir is not listed. That's because it's not browseable. However, access is not affected on SMB clients allowing a user to access an unlisted share by name. For instance, in SMB client smbclient, user valerie can issue the following command:
$ smbclient //192.168.100.1/valsdir -U valerie
This will bring up an smbclient prompt allowing user valerie to read and write to /home/everyone/valsdir. In Windows, map the share to a drive letter with the following command:
C:\>net use x: \\192.168.100.1\valsdir
In summary, browseable= governs the visibility, not the accessibility, of the resource. However, some SMB clients (such as Windows Network Neighborhood and Windows Explorer) make access of unlisted shares non-obvious.
The default for browseable= is yes. If you are in tight security situations where listing on the client is not desired, you must insert a browseable=no line to make it invisible to the client browser. Note that the smb.conf that ships with Red Hat Linux 7 contains a browseable=no line in [homes], [Profiles] (commented out), and [printers].
printable= (S)
This allows printing from the share, so it should be used on any share that's a printer, and not used on other shares. In the [printers] section, printable= defaults to yes. Everywhere else it defaults to no.
hosts allow= Versus hosts deny= Versus allow hosts= Versus deny hosts= (S)
hosts allow= governs which hosts or subnets can access a share. If this option is used in the [global] section, it becomes the default for all shares. If this option is used, it denies entry to all hosts or subnets not specifically allowed. Use this code to allow a single host:
hosts allow = 192.168.100.201
To allow an entire subnet, use its address and subnet mask:
hosts allow = 192.168.100./255.255.255.0
hosts allow= overrides any hosts deny= options, which simply deny access to a host or subnet. allow hosts= is a synonym of hosts allow=, and deny hosts= is a synonym of hosts deny=.
public= and guest ok= (S)
These two are synonyms, with guest ok= preferred in SWAT (Samba Web Administration Tool). The purpose of this option is to allow those without a login on the server to access a share. This is a security compromise that sometimes makes sense on a printer. Care must be used to avoid the possibility of allowing a hostile exploit. For that reason the default is no.
comment= (S) and server string= (G)
These two are related in that they both provide human-readable strings to identify Samba resources in an SMB client's user interface. comment= describes a share, whereas server string= goes in the [global] section and describes the entire Samba server.
domain logons= (G)
This defaults to no, but if set to yes, the Samba server is allowed to serve as a domain server for a Windows 95/98 workgroup. This is different from a Windows NT domain.
encrypt passwords= and smb passwd file= (G)
These options are vital to serving Windows clients, and are discussed extensively earlier in this chapter. Defaults are encrypt passwords=no and smb passwd file=/etc/samba/ smbpasswd.
config file= (G)
This is a method of specifying a Samba configuration file other than /etc/samba/ smb.conf. When Samba encounters this option, it reloads all parameters from the specified file.
hosts equiv= (G)
This dangerous option points to a file containing hosts and users allowed to log in without a password. This is obviously an extreme security risk. The default is none, and the best policy is to leave this option absent from smb.conf.
interfaces= (G)
This becomes necessary when the server serves multiple subnets. Here's an example:
interfaces = 192.168.2.10/24 192.168.3.10/24
A /24 is a subnet mask. 24 represents 24 bits of 1s, or 255.255.255.0. Thus, the example would serve subnets 192.168.2 and 192.168.3. Normal subnet notations with four dot-delimited numbers can also be used after the slash.
load printers= (G)
This defaults to yes. A yes value loads all printers in printcap for Samba browsing.
null passwords= (G)
This option defaults to no, meaning no user with a zero-length password on the server can log in to Samba. Setting this to yes is an obvious security risk.
password level and username level (G)
These determine the level of non–case sensitivity of username and password comparisons. The default is 0, meaning the client-provided password or username is first compared with case sensitivity against the copy on the server, and that the client username or password is converted to lowercase and compared to the copy on the server if that fails.
In troubleshooting Samba connection problems from Windows clients, it's often handy to set these options high (such as 24) to see if that fixes the problem. Although this represents a minor security problem and also slows initial connection, it often solves the problem. Once problems have been fixed, you should re-comment these two options to beef up security and speed authentication.
Connection problems from Windows clients also are often solved with the encrypt passwords= and smb passwd file= options.
security= (G)
Default is security=user, which enforces security by user and password. This is generally the best choice, with excellent security and predictability.
security=server and security=domain are used primarily when password authentication is actually done by yet another machine. security=domain is used to join Samba to an NT domain. security=share offers less security and less predictable operation, but is sometimes a logical choice in less security-intense situations such as if most of the client usernames don't exist on the server, or if most usage is by printers not requiring passwords.
This topic is important, and is discussed further in documents /usr/share/doc/ samba-2.0.7/docs/textdocs/security_level.txt and /usr/share/doc/ samba-2.0.7/docs/textdocs/DOMAIN_MEMBER.txt.
workgroup= (G)
This is the workgroup in which the server appears, and also controls the domain name used with the security=domain setting. The default is WORKGROUP, but Red Hat 7– supplied smb.conf contains the line workgroup=MYGROUP.
netbios name= (G)
Samba's default behavior is to use the host's hostname as the SMB netbios name. But that default does not always work properly. It's an excellent idea to hard-code the text of the hostname in this parameter. For instance, if the Samba server's hostname is mainserv, the following is recommended:
netbios name=mainserv
wins support= (G)
This specifies that the Samba server also serves as a Windows WINS server. WINS is part of Windows' name resolution system. Every network should have a WINS server, so if you have no NT or Windows 2000 computers acting as a WINS server, you should enable this option. Note, however, that this should never be set if you have another WINS server on your network. Do not confuse this option with wins server=, which simply points to another server acting as the WINS server.
wins server= (G)
This does not make the Samba box a WINS server. Instead, it refers WINS requests to a different host acting as a WINS server. This is important in multi-subnetted networks.
local master= (G)
This defaults to yes, so it's not normally necessary or desirable to set it to no. However, if you want to prevent the Samba server from becoming a browse master on its subnet, setting this to no is the way to do it. Note that a yes value does not specify that the Samba server will be a browse master, only that it will compete with other hosts, in a browser election, to become the local browse master. The winner is decided by the greatest value of os level= and other criteria.
preferred master= (G)
This defaults to no. If set to yes, it does two things. First, it gives the Samba server a slight advantage in winning a browser election. More importantly, it triggers a browser election within thirty seconds of a Samba restart. This guarantees that an election selects a host (not necessarily this one) as a local master browser, thereby preventing those pesky situations in which Network Neighborhood doesn't recognize a share for several minutes or upwards of an hour. There should be only one Samba server set as preferred master, because if there are more they will fight a "browser war" with each other. In browser wars the loser calls for another election, and elections can happen as frequently as every 30 seconds. This brings performance to a standstill.
It's recommended that the host with preferred master=yes also set domain master=yes.
domain master= (G)
Defaulting to no, this option specifies that Samba create a WAN-wide browser on this host. Always set this true on multi-subnet networks not containing a Windows PDC. It's recommended to set this option to yes if specifying preferred master=yes.
os level= (G)
Default is 20. The (commented out) option in the default Red Hat 7 smb.conf is set at 33. When a browser election takes place, every possible browse master (including those on Windows computers) is queried for its os level. The one with the highest level wins. In the event of a tie, other factors, such as preferred master=, are taken into account. Setting this to 65 should beat out all Windows 9x, NT, and Windows 2000 servers.
domain logons= (G)
Setting this to yes enables your Samba server to authenticate Windows clients upon logon, not just upon access of files stored on the Samba server.
Samba Resources | Next Section
Account Sign In
View your cart