“UbuntuHelp:SettingUpSamba”的版本间的差异

2007年11月30日 (五) 21:28的版本

文章出处:

https://help.ubuntu.com/community/SettingUpSamba

点击翻译:

English  • 中文

请不要直接编辑翻译本页，本页将定期与来源同步。

Work in progress
(feel free to add notes)
And no swear words. "Profanity is the strongest expression of a weak mind!"

Anchor(Top)

What is Samba and when do I need it?

To make a long story short : Samba is a set of tools to share files and printers with computers running Windows. It implements the SMB network protocol, which is the heart of Windows networking. You need Samba to :

• act as a server for Windows (or Samba) clients: share folders and printers, including PDF pseudo-printers so all the computers in your network may write PDF files,
• act as a domain controller in a Windows network (authenticating users, etc.)
• do some more complex stuff, such as using a Windows domain controller to authenticate the users of a Linux/UN*X machine...

The Samba project was started in 1992 by Andrew TRIDGELL. It's now an important piece of software in the Linux world when it comes to making Windows and Linux machines inter-operate. More information about Samba can be found at http://www.Samba.org. Also check out the links at the bottom of this page. Top Back to top

Do you need Samba?

Samba is not necessary to:

• Access shared folders, drives and printers on a Windows computer (that is, act as a client with Windows servers), you only need a smbfs plugin. See MountWindowsSharesPermanently
• Have your Windows computer use (via a network) a printer that is attached to a Linux computer, you do not need Samba. CUPS can be configured to make the printer accessible to the network.
• Share directories between two Linux computers. You can use NFS or setup a FTP server on one computer and to access it from other computers using a FTP client.

Top Back to top

Installing Samba

For installing Samba, install the following package: Samba (see InstallingSoftware). Top Back to top

Configuring your computer

Start the network configurator using the following menu: System -> Administration -> Network You will need the General tab, in the middle. Top Back to top

Fill in your settings:

Host Settings
Hostname:       <yourcomputer>
Domain name:    <yourdomain>

Windows Networking
Tick Enable Windows networking
Description:       <whateveryouwant>
Domain/Workgroup:  <yourdomainorworkgroup>

If you want tick WINS server  <thenameoripaddressofyourwinsserver>

Note: If you do not know, ask your network-administrator. Typical settings for the workgroup field are "mshome" or "workgroup". The important settings here are your hostname, which should be filled in already, and the domain/workgroup. Press OK on both Windows and the first part of cooperating with Windows-machines is done. You may also edit the file "/etc/samba/smb.conf" manually, and then use "/etc/init.d/samba" to stop and start the service again. Note: It is possible to not include a "Windows Networking section and continue. Top Back to top

Browsing Samba shares

Ubuntu and Gnome make it easy to access files on a Windows network share. Open the Computer Menu, then click on "Network". You'll see a "Windows network" icon, open it. The next window shows all the domains/workgroups found in your network. Inside each domain/workgroup you get all the computers in it (that is, those sharing something !). Double-click on a computer icon to access its shares and files. Could it be easier ? Before showing a computer's shares, your system may prompt you for a name and password. Fill in the form with the credentials of a valid user for the computer you are connecting to. You may additionally store that password in your keyring for convenience. Note: The default installation of Samba does not synchronize passwords. You may have to run "smbpasswd" for each user that needs to have access to his Ubuntu home directory from Microsoft Windows. Top Back to top

Mounting a Samba share

Mounting a share on the local filesystem allows you to work around programs that do not yet use GnomeVFS to browse remote shares transparently. To mount a Samba share, first install smbfs:

sudo apt-get update
sudo apt-get install smbfs

To allow non root accounts to mount shares, change the permissions on the smbmnt program thus:

sudo chmod u+s /usr/bin/smbmnt /usr/bin/smbumount

The following will mount the myshare folder on myserver to ~/mnt (it will be in your home directory):

mkdir ~/mnt
smbmount //myserver/myshare ~/mnt

To umount,

smbumount ~/mnt

In order to have a share mounted automatically every time you reboot, you need to do the following: Open a shell as root

sudo -s

Create a file containing your Windows/Samba user account details:

vi /etc/samba/user

...it should contain two lines as follows:

username = george
password = secret

Change the permissions on the file for security:

chmod 0600 /etc/samba/user

Now create a directory where you want to mount your share (e.g. /mnt/data):

mkdir /mnt/data

Now edit the file system table (/etc/fstab) and add a line as follows:

//server/share   /mnt/data   smbfs   credentials=/etc/samba/user,rw,uid=bob   0   0

...where 'bob' is the non-root user you log into ubuntu with, 'server' is the name or address of the Windows machine and 'share' is the name of the share. To mount the share now, just use the following command as root. It will mount automatically on subsequent reboots.

mount /mnt/data

to be continued... Top Back to top

Configuring your computer as a server

A fairly comprehensive graphical Samba configuration tool is available for KDE, by installing the "kdenetwork-filesharing" package. Once install, you can find it by launching the KDE Control Center. (Alt-F2 and then type kcontrol). Browse to Internet & Network > Samba. It is fairly easy to use. A less friendly but also graphical tool is UbuntuHelp:Swat, a web-based interface. The following tips show how to do some basic things without installing additional software, using the command line. It is not difficult, just be careful with typos. First open a terminal: Applications > System Tools > Terminal and open the file smb.conf

sudo nano -w /etc/samba/smb.conf

How to Save: To save in nano use "CTRL-O", then "CTRL-X". Tip: Replacing nano with gedit gives you a nice graphical editor. The file *smb.conf* is divided in several sections:

Global Settings
Debugging/Accounting
Authentication
Printing
File sharing
Misc
Share Definitions

Let's start with Global Settings. Here you will see several lines, which you can also see in the graphical networktool like workgroup and wins server. If you changed everything to your liking already then you can skip this section, if not change to what you need. If you do not know what items mean, leave them be and read the relevant part in the real Samba-howto instead of randomly changing them. It will save you trouble-shooting later. The important part for us is File sharing. We need to change:

[homes]
comment = Home Directories
browseable = no
# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = no

This describes your /home folder. Usually you want to share this folder in a home-environment, because these are the files you want to share. To do so, make the following changes:

[homes]
comment = Home Directories
browseable = yes
# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = yes

This finishes sharing your /home folder. The last thing we need to do is fixing a user. Add users who can access your shares with the 'smbpasswd' command.

sudo  smbpasswd -a username
New SMB password:
Retype new SMB password:
Added user username.

NOTE: the username used here should be a real user setup on your PC/Server. Reload Samba for every change to users/passwords or 'smb.conf'

sudo /etc/init.d/samba reload

That's the basis of Samba file-sharing. Please leave your comments about what else is needed here. - Can/should the SMB password be different from the user's system password? MartinSpacek - 2007-11-19 Top Back to top

Complicating things a little

We started with the base of Samba file-sharing. The above-mentioned items should be enough to get you started. Next we will add details that you might or might not need. Top Back to top

If you have more the one network card

If you have more the one networkcard (or interface) then you have to define where you want Samba to run. In smb.conf under the [global] section, add:

"interfaces = 127.0.0.1, 192.168.0.31/24"
"bind interfaces only = yes"

The first address (127.0.0.1), is a loopback network connection (it's your own machine). The second address (192.168.0.31), is the address of the card you want Samba to run on, the second number (24) is the subnet default for a CLASS-C network. It may vary depending on your network. With "bind interfaces only" you limit which interfaces on a machine will serve SMB requests. You can limit which IP address can connect to your Samba server adding these lines:

"hosts allow = 127.0.0.1, 192.168.0.31, 192.168.0.32"
"hosts deny = 0.0.0.0/0"

The loopback address must be present in the first line. The second line deny access from all IP address not in the first line. Top Back to top

Sharing CUPS Printers

If You would like to share Your printers make the following changes to Samba: If not already done create the Samba-user You want the share to be used by. In smb.conf uncomment and change the lines ending up with the following configuration:

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = yes
# [...] // Some BSD printing stuff, do not edit if You do not need to
# CUPS printing.  See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
printing = cups
printcap name = cups

and in the Share Definitions section append and/or modify the [printers] part ending up like this:

# ======================== Share Definitions ========================
# [...] // File and Folder sharing, do not edit if You do not need to
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = yes
writable = no
create mode = 0700
printcap name = /etc/printcap
print command = /usr/bin/lpr -P%p -r %s
printing = cups

Some explanation what is done: the [printers] part defines the default-behavior for all the printers that are mentioned in "printcap name". A sort of template how to create shares for these printers. This template is applied if "load printers" is set to true. For more detailed explanation refer to the Samba documentation. And do not forget to reload Samba:

sudo /etc/init.d/samba reload

Top Back to top

Troubleshooting Samba

A common problem when attempting to access a Samba share from a Windows computer is "System Error 53" after attempting to "Net Use". The first thing you should do, before looking into your conf files, is ensure that the directory you are sharing actually exists. Top Back to top

Links

• UbuntuHelp:SettingUpSambaPDC
• http://www.Samba.org/ The Samba web site
• http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ 900+ pg pdf document, seems to be updated daily
• http://us1.samba.org/samba/docs/using_samba/toc.html "Using Samba", by Ts, Eckstein, and Collier-Brown (O'Reilly)
• http://ubuntuforums.org/showthread.php?t=2389
• http://ubuntuguide.org/wiki/Ubuntu_Edgy#Samba_Server Samba Server: How to install Samba Server, How to add network users, How to share group folders with read/write permissions, etc.
• http://doc.gwos.org/index.php/Share_files_using_Samba "How to share files using Samba (the more secure way)"

Top Back to top

Comments

From: -- DamienNozay DateTime(2006-06-17T12:21:58Z):: use this to leave a comment:

From: @ SIG@::
<your comment>

• {i} no space between `@` and `SIG` (escaped here)
• {i} see UbuntuWiki:Self:HelpOnPageCreation#variablesubstitution

From WouterdeVries Sat Dec 4 19:42:39 +0000 2004:: From: Wouter de Vries Date: Sat, 04 Dec 2004 19:42:39 +0000 Subject: shares-admin Message-ID: <20041204194239+0000@https://www.ubuntuLinux.org> You could say something about shares-admin, which lets you add shares to the Samba server. From MaartenJongepier Tue Dec 28 17:06:24 +0000 2004:: From: Maarten Jongepier Date: Tue, 28 Dec 2004 17:06:24 +0000 Subject: smb:// protocol Message-ID: <20041228170624+0000@https://www.ubuntuLinux.org> You doesn't always need Samba, isn't is? You can also use smb://Windows-compu/share. That works too I thought Not much here about how to use a Windows printer from Linux. I figured out how to get my Ubuntu machine to access the USB printer (HP LaserJet 1012) on my Windows XP machine, so I'll post that here (at least I will be able to find this when I forget how I did it). 1. Installed the HP LaserJet 1012 on the XP box using the CD that came with the printer. 2. Shared the printer as "LJ1012" (or whatever you want to call it). 3. Created a user named "Guest" (with no password) and added that user under the Security tab for the printer. 4. On Ubuntu, from the command line, entered: sudo adduser cupsys shadow (this is absolutely KEY!!!) 5. Downloaded the best driver (HP-LaserJet_1012-pxl1010.ppd) from Linuxprinting.org and copied to /usr/share/cups/model/foomatic-ppds/HP/ 6. In Firefox, went to localhost:631 (for Cups) 7. Add Printer - when prompted, logged in as the primary user (my name, not root), with my usual password. This (plus step 4) gets around the problem of there not being a 'root' account in Ubuntu. 8. Chose Windows Printer (Samba) from Add Printer dialogs (way at the bottom of the list). 9. Used the network address smb://guest@WINMACHINE/LJ1012 10. Using the Gnome printer applet, adjusted the paper size to US Letter (applet sometimes freezes, but does not seem to do any harm). What a PITA, but it WORKED. This printer is a great buy. From dturnbull Mon Mar 28 07:53:18 +0100 2005:: From: dturnbull Date: Mon, 28 Mar 2005 07:53:18 +0100 Subject: Bleh, had to edit printers.conf Message-ID: <20050328075318+0100@https://www.ubuntuLinux.org> I wanted to use the printer on a Windows system and had no luck with the GUI or the HTTP configuration interfaces. I ended up editing /etc/cups/printers.conf and changing (for example)

DeviceURI smb://WARRIOR/R300

to

DeviceURI smb://GUEST@WARRIOR/R300

After that everything else was configurable from the Gnome GUI. This was in Hoary preview. From NickIrvine Thu Apr 7 14:03:47 +0100 2005:: From: Nick Irvine Date: Thu, 07 Apr 2005 14:03:47 +0100 Subject: Addition to text Message-ID: <20050407140347+0100@https://www.ubuntuLinux.org> When the text mentions using smbpasswd, it should be noted that the user added as username has to exist as a Linux user as well. From:me:: What about encrypt passwords = no ? Windows is setup not to use network passwords by default so I think creating a network user is not right. From:JonJ Mon Aug 28 2006 :: Regarding "Mounting a Samba share", how can this be done if you don't want the share mounted at boot, but would rather each user be authenticated when they try to connect, either by 'mount' at command line, or by clicking the drive in nautilus? With an fstab line like //pc/share /media/data smbfs user,noauto,rw 0 0 The problem seems to be that only the user who owns the mount directory /media/data can mount it, even if permissions are set to 777. Simply "Browsing Samba shares" is not as good an option, because you can't open / save files to the share in oowriter for example. Top Back to top

Active Directory Integrated File Server

Purpose of Document

The purpose of this document is to provide a guide to configuring Samba on Ubuntu to act as a file server in a Windows environment integrated into Active Directory. The goal is to create a file server that is as close to a one to one replacement for a Microsoft Windows file server as possible from the client's perspective. Top Back to top

Background

It is important to keep in mind that the Samba developers have to play detective to try to basically reverse engineer the Microsoft implementation of the SMB protocol. The end result is that there are occasional issues that must be worked around if a bug fix does not exist. With the instructions below, expected behavior should be acceptable in most corporate environments. Samba allows for a great deal of flexibility in how shares behave on a per-share basis. It is outside the scope of this document to cover each configuration setting and how they behave. It would be very beneficial to first read the smb.conf documentation found at the Samba web page. There are quite a few settings in the documentation, but getting a general feel of what they are and what they do will help in understanding this document and how you can take a step beyond by changing settings for your own tastes and environment. Top Back to top

Prerequisites

This document is written based on Edgy 6.10, and the original author has also successfully configured Dapper 6.06 using almost these exact steps. Note that security updates need to be enabled for not only the main repository, but for the universe repository as well (as now documented below). If this is not done, any security updates for the main (supported) packages create failed dependencies for the relevant universe packages. If all packages listed are installed correctly, either 6.10 or 6.06 should behave the same. Here is the list of prerequisites specific to this document:

• Ubuntu 6.10 Server default installation
• Windows 2003 Native Domain (mixed-mode not tested, but may work)
• Ample hard drive space to accommodate packages and shares
• Proper IP DNS settings configured so that internal names can be resolved
• root account enabled and all actions performed as root

Top Back to top

Installation

In order to make this guide easier to understand, I'll make the following assumptions:

• domain name: DOMAIN
• full domain: DOMAIN.LOCAL
• domain admin account: jsmith
• backup user account: backup1
• share name: common
• primary domain controller: PDC1
• file server name: SMB1
• primary subnet: 192.168.1.0/24
• remote subnet: 192.168.0.0/24

Simply substitute your own domain and user information in the steps below. 1 Edit /etc/apt/sources.list to uncomment the Universe section:

vi /etc/apt/sources.list
deb http://us.archive.ubuntu.com/ubuntu/ edgy universe
deb-src http://us.archive.ubuntu.com/ubuntu/ edgy universe
deb http://security.ubuntu.com/ubuntu edgy-security universe
deb-src http://security.ubuntu.com/ubuntu edgy-security universe

2 Update apt packages.

apt-get update

3 Install the necessary packages.

apt-get install krb5-user winbind samba acl attr

4 Set file system to mount with ACL and Extended DOS attributes enabled.

vi /etc/fstab
<main file system> / ext3 defaults,acl,user_xattr,errors=remount-ro 0 1

5 Reboot.

shutdown -r now

6 Create Samba directory and shares. Repeat for all desired shares.

mkdir /share
chmod 770 /share
mkdir /share/common
chmod 770 /share/common

7 Edit /etc/krb5.conf to match the following:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.LOCAL = {
kdc = PDC1
admin-server = PDC1
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

8 Edit /etc/samba/smb.conf to match the following:

#Global Settings
[global]
# Settings
kernel oplocks = yes
client use spnego = yes
server signing = auto
client signing = auto
template shell = /bin/bash
nt acl support = yes
change notify timeout = 0
# Share Behavior
inherit permissions = yes
inherit acls = yes
map acl inherit = yes
acl compatibility = auto
dos filemode = yes
dos filetimes = yes
dos filetime resolution = yes
map archive = yes
map system = no
map hidden = no
ea support = yes
force create mode = 0760
# Domain Settings
workgroup = DOMAIN
server string = SMB1
os level = 0
preferred master = no
announce as = NT Server
announce version = 4.9
browse list = yes
domain master = no
local master = no
enhanced browsing = yes
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind use default domain = no
winbind enum groups = yes
winbind enum users = yes
winbind separator = +
realm = DOMAIN.LOCAL
# Security
hosts allow = 192.168.1. 192.168.0. 127.
security = ads
password server = *
encrypt passwords = yes
# Printers
printcap name = /etc/printcap
load printers = yes
printing = cups
cups options = raw
# Logging
log file = /var/log/samba/%m.log
log level = 3
max log size = 500
# Network Settings
remote announce = 192.168.0.
disable netbios = no
netbios name = SMB1
# Network Shares
[common]
comment = comments on the share
path = /share/common
guest ok = no
read only = no
writeable = yes
create mask = 0760
directory mask = 0760
acl group control = yes
store dos attributes = yes

9 Edit /etc/nsswitch.conf to match the following:

passwd:         compat winbind
group:          compat winbind
shadow:         compat
hosts:          files dns wins
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

10 Edit /etc/pam.d/common-account to match the following:

account sufficient      pam_winbind.so
account required        pam_unix.so

11 Edit /etc/pam.d/common-auth to match the following:

auth    sufficient      pam_winbind.so
auth    required        pam_unix.so nullok_secure use_first_pass

12 Edit /etc/pam.d/common-password to match the following;

password required       pam_unix.so nullok obscure min=4 max=50 md5

13 Edit /etc/pam.d/common-session to match the following:

session required        pam_unix.so
session optional        pam_foreground.so
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel

14 Initialize Kerberos.

kinit [email protected]

15 Join your Samba server to the domain.

net ads join -U [email protected]

16 Reboot

shutdown -r now

17 Copy all files and folders to their proper shares. You can use whatever method you wish, however note that the shares are NOT accessible via Samba yet (permissions). 18 Configure permissions for all files and folders. Repeat for all shares and appropriate groups/permissions. Even if you plan to backup the shares using some other method (eg: local rsync), you most likely want to run the "group" commands below so that domain admins and domain users have access to the shares.

setfacl -R -m group:"DOMAIN+domain admins":rwx /share
setfacl -R -m group:"DOMAIN+domain users":rwx /share/common
setfacl -R -m user:"DOMAIN+backup1":rwx /share
setfacl -R -m user:"DOMAIN+backup1":rwx /share/common

19 Configure DOS Extended attributes for all files and folder to have archive bit set

/usr/bin/find /share/ -name '*' -exec setfattr -n user.DOSATTRIB -v \"0x20\" {} \;

20 Perform initial full backup. 21 Configure backup software to do incremental backups and reset archive bit. 22 Create a cron to set the archive bit for certain files.

touch /var/spool/cron/crontabs/root
chmod 700 /var/spool/cron/crontabs/root
vi /var/spool/cron/crontabs/root
(scheduled time) /usr/bin/find /share/ -name '*' -mtime 0 -exec setfattr -n user.DOSATTRIB -v \"0x20\" {} \;

Installation Notes

While the reboots are not necessary, it is an easy and expedient way to apply the configuration changes. It does guarantee that the proper services will be restarted in the correct order to minimize the opportunity for failure. The reason for the cron to manipulate the archive bit is that some programs such as Microsoft Word and some database applications will modify files but the archive bit will not be set. This is important if your backup software relies on the archive bit to know what files to copy. If your backup software relies stricly on date last modified, this is not an issue. The cron job sets the archive bit for files modified within the last 24 hours. If you need this functionality, allow at least one hour for this to run before your backup software kicks off. I have heard that the latest Samba packages (3.0.23d as of this writing) fix this archive bit issue. I have not tested this theory. Currently, Ubuntu packages use Samba 3.0.22. You can have more than one user or group configured with ACL permissions. Setting permissions to rwx is the same as full control. You should provide full controll (rwx) to the domain account your backup software uses as in step 18. With this configuration, you should be able to have nested groups. I have heard some people have trouble with this. I currently believe this to be a corruption of Active Directory that causes improper group membership to be reported to Samba. If you have multiple subnets (i.e. remote offices), you MUST put them in the hosts allow section. If you do not, they will be denied access. If your Samba server is having problems resolving the name of the primary domain controller, you can add a line to /etc/hosts in order to manually resolve the address. These instructions are valid as of 1/1/2007 with all security patches applied via apt-get upgrade. Since the package krb5-user is outside the scope of regular security patches of the main branch, the longevity of this guide cannot be guaranteed. As can be seen with 6.06, security upgrades can break the installation process if you are not careful. Regardless, if you can install all packages listed successfully, these instructions should work properly. Top Back to top

Basic Debugging Commands

True debugging is well outside the scope of this document, however the following commands will get you started and looking in the right direction.

Kerberos Issues

To get a list valid kerberos tickets, use the command:

klist

The detail itself is outside the scope of this document, however klist will tell you if you have a valid kerberos ticket, what it believes to be the default principal, and where it is looking for the ticket cache.

Domain Issues

To test to see if the local machine is joined to the domain, use the command:

net ads testjoin

You should get back "Join is OK" if all is well. Top Back to top

Configuring

All necessary configuration for basic operation is provide in the installation guide. You can tweak settings further using the smb.conf documentation found on the Samba web page. Read the documentation carefully before making changes. Some settings may not do what you think they will based on the name. Top Back to top

Adding Shares

Copying the template above in the smb.conf and pasting it in with the proper share name and path settings is all that is needed to create new shares. Alternatively, you can use the web based tool swat to add and manipulate shares. If I get time, I will add documentation here how to do that. Top Back to top

Security

The hosts allow setting prevents computers outside authorized subnets from accessing shares. You can get even more fine grained and use specific IP addresses if your environment calls for it. There are scripts that have been written that allow access logs to be dumped to a mysql database to track who accesses files. I am in the process of testing this and will write documentation on it when I get the time. Top Back to top

Backups

You can use any backup software you want. This configuration has been tested and validated to work with Computer Associates Brightstor ARCserve Backup 11.5 SP1. Theoretically, any software should work. You could also use the rsync utility. Top Back to top

Final Thoughts

Samba can be a great way to cut licensing costs as there is no per-user licensing fee. It also allows a high level of per-share flexibility. Being able to store access logs in a mysql database can be great for quickly answering questions from management. I do not know what implications this could have on regulations such as Sarbanes-Oxley. Such questions are outside the scope of this document and outside my knowledge. Please feel free to correct any mistakes found here. Top Back to top