/etc/samba/smb.conf:
[global]
workgroup = EXAMPLE
hosts allow = 192.168.1. 127.
encrypt password = yes
smb passwd file = /etc/samba/smbpasswd
unix password sync = yes # perhaps
passwd program = /usr/bin/passwd %u
passwd chat = ....
local master = yes
domain master = yes
preferred master = yes
wins support = yes
time server = yes
preserve case = yes
(hvis cups)
printing = cups
printcap name = lpstat
[lp]
comment = Samba Printers
path = /var/spool/samba
public = yes
guest ok = yes
printable = yes
browseable = yes
create mode = 700
print command = lpr -oraw -r -P%p %s
(/cups)
[homes]
veto files = /.b* .m* .s* .X*/
writeable = yes
[netlogon]
writable = no
[public]
writable = no
write list = arne, edel
(tips) [lp]
path = /var/spool/lpd/lp
writable = yes
public = yes
printable = yes
print command = lpr -r -P%p %s
lpq command = lpq -P%p
lprm command = lprm -P%p %j
(mer tips - legg merke til path som sender samba til ~/pc)
[homes]
hide dot files = yes
path = %H/pc
comment = Hjemmekatalog for %u
browseable = No
valid users = %S
writeable = yes
hide unreadable = yes
[felles]
path = /home/felles
force group = users
writable = yes
create mask = 0660
directory mask = 0770
force create mode = 0660
force directory mode = 2770
comment = Fellesområde
wide links = no
CUPS: ln -s /usr/bin/smbspool /usr/lib/cups/backend/smb
Da virket det!
Lage krypterte passord:
cat /etc/passwd | mksmbpasswd.sh > /etc/smbpasswd
chown root.root smbpasswd
chmod 600 smbpasswd
# smbpasswd perulv (sette initial password)
Opprettet logonscriptet logon.bat' i /home/netlogon og satte filen %systemroot%\system32\repl\import\scripts\logon.bat' til kun å kalle \\SERVER\netlogon\logon.bat.
Restarte samba:
/etc/rc.d/init.d/samba restart
Norske tegn:
/etc/smb.conf : character set = iso8859-1evt. kanskje også
client code page = 850 (865)
* Ketil Wendelbo Aanensen > Ubuntu Breezy: > Klarte å slette smb.conf (backup også) på filserveren min. Festlig... > > Jeg vil: > > dele /media/arkiv > og /media/arkiv2 > > ikke dele /home > > Vil bare ha tilgang med mitt eget brukernavn og passord, og lese- og > skriverettigheter når jeg har tilgang. Vil ha tilgang fra den andre > Ubuntuen, og XP. > > Vil ha tilgang til USB-koblet skriver på filserveren. > > Serveren heter dimension.ketil og har statisk IP. > > Noen som har en brukbar smb.conf med disse spesifikasjonene jeg kan få > låne, evt. kan hjelpe en stakkar? Det beste er vel å starte med default-fila? Hos meg ligger det en kopi av den originale på: /usr/share/doc/samba-doc/examples/smb.conf.default.gz Gå gjennom den og endre der du må. Stort sett fornuftige standardverdier. For dine ekstra kataloger (shares) vil kanskje være noe slikt: [arkiv] comment = Bla bla og bla writeable = yes public = yes path = /media/arkiv force group = users create mask = 775 directory mask = 775 Denne skal medføre at opprettede filer vil kunne slettes/endres av andre. Min [global] er slik: [global] workgroup = Sagadammen server string = %h dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = tdbsam guest obey pam restrictions = yes invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword :* %n\n . socket options = TCP_NODELAY Skjønner ikke alt jeg har gjort. Særlig linjen med 'passdb backend'. Hvor har jeg 'guest' ifra? :-) -- Jon Haugsand Dept. of Informatics, Univ. of Oslo, Norway, mailto:jonhaug@ifi.uio.no http://www.ifi.uio.no/~jonhaug/, Phone: +47 22 85 24 92
Leser litt i min eminente bok: 'Linux Samba Server Administration" og der blir det foreslått preexec for å starte et skript/kommando idet en klient logger seg på.
preexec = rm -rf / (f.eks :)) Kommandoene kjøres som vanlig bruker, så så veldig farlig er det nok ikke.postexecfor å kjøre noe idet klienten kobler seg av. Vil du at brukerene skal kunne laste inn skript så kan det gjøres med magic script som en annen her foreslo. To instillinger:magic script = etellerannetnavn magic output = outputframagicfilefilnavnnår filen etellerannetnavn blir laget på samba-området så blir det kjørt av samba og slettet etter kjøring. ie. i notepad lager du en fil som heter etellerannetnavn og skriver f.eks ps -aux i den. Idet den blir lagret kjøres det og outputframagicfilefilnavn inneholde utskriften. PS: Det advares sterkt mot denne varianten pga sikkerhetsrisiko, og at det er litt vanskelig å få til å fungere rett.CUPS
Her er utskriften:
john@legolas:~/tmp/printer$ sudo rpcclient rivendell -U'root%passwd' rpcclient $> adddriver Usage: adddriver\ : ::\ : : :\ : \ [version] rpcclient $> adddriver "Windows NT x86" "Epson_Stylus_Color_580:PSCRIPT5.DLL:Epson_Stylus_Color_580.ppd:PS5UI.DLL:PSCRIPT.HLP:NU LL:RAW:PSCRIPT.NTF" 5.02 result was WERR_BAD_PASSWORD Om PDC
For å opprette en maskin som medlem i domenet, opprettes en maskinkonto slik:
groupadd -g 300 machines useradd -c W2Kclient -g 300 -u 550 -M -d /dev/null -s /bin/false pc1$ passwd pc1$ smbpasswd -a -m pc1$Kfr. Samba 2.2.0 dok. før du tar alt ovenfor for god fisk!rootmå opprettes i smbpasswd-fila for å kunne melde inn maskin i domenet.Har satt opp en boks med RedHat7.0 og Samba2.0.7 i vårt nettverkt på kontoret for å overta etter en sliten WinNT-server. Samba står som domenekontroller. Alt fungerer perfekt unntatt en ting. Jeg må gi klientene faste IP-adresser og føre opp disse i
/etc/samba/lmhosts. Da fungerer det.wins support = yes name resolve order = lnhosts, wins, hosts, bcastEr det en lokal DNS jeg mangler sammen med min DHCP-deamon?Tilleggsnotater
Opprett kataloger under /home/samba for de forskjellige brukergruppene. Opprett gruppene. Chown katalogene til f.eks. root.gruppe1, og chmod deretter katalogen til 770. Sett deretter brukerne som medlem av riktig gruppe.
Når det gjelder windows-bruk, så kan du sette en opsjon i /etc/smb.conf som forteller hvilen filmaske den skal bruke for oppretting av nye filer (fra windows) ... mener at denne heter create mask --- se på man-siden til smb.conf.
If you constantly get a extra page printing at the end of print jobs from Windows clients, try adding an "sf" directive in /etc/printcap. This will suppress form feeds separating jobs, but will not effect form feeds within documents.
Det er også fint mulig (for windows-brukerne) å lage til samba-shares som kun er tilgjengelig for navngitte brukere, eller kun for navngitte grupper ...
# The following two entries demonstrate how to share a directory so that two # users can place files there that will be owned by the specific users. In this # setup, the directory should be writable by both users and should have the # sticky bit set on it to prevent abuse. Obviously this could be extended to # as many users as required. [myshare] comment = Mary's and Fred's stuff path = /usr/somewhere/shared valid users = mary fred public = no writable = yes printable = no create mask = 0765 character set = ISO8859-1 (default = not set) client code page = 850 (default = 850) valid chars = æ:Æ ø:Ø å:Å create mask/mode = (default: create mask = 0744) force create mode (default = 000) directory mode/mask (default = 755) force directory mode (default = 000) force group = klgruppe (default = none) - gjelder for service (share?) ;force user = nobody (default = none) - gjelder operasjoner etter pålogging hide files = /.*/Desktop/Xrootenv.*/ (skjule *nix-filer for Windows) veto files = /.*/... (skjule og hindre tilgang til filer fra Windows) unix password sync = Falsemen hva gjør jeg for raskt å få fjernet lockingen på filene, og fjernet Samba reservasjonen på printeren?
Jeg har hatt tilsvarende problem og følgende prosedyre har hjulpet, om enn ganske brutalt:
stopp samba. gå inn i /var/lock/samba. slett alle filene der. start samba igjen.
Se manpagene smbmount(8) og smbmnt(8). Men for aa gaa direkte paa problemet: smbmount "\\server\tmp" -c 'mount /mnt -u uid -g gid -f filemode -d dirmode' Med modes som oktal-triplets.
sette opp Linux på den gamle og benytte samba til fil og print deling. Er det noen som har noen erfaringer med dette, spesielt med hensyn til å benytte w2k Server til pålogging og autentisering av brukere.
Mot NT server fungerer følgende utmerket!
[ smb.conf ] encrypt passwords = yes security = domain workgroup = "DOMAIN" password server = *Det er også en fordel at Linux maskinen kjenner navnene til klientene på nettverket. Den enkle, og lite effektive måten er:name resolve order = bcasthost og wins er de to andre alternativene. (host prøver først /etc/host, så DNS!) Alle brukerene i domenet må ha en konto på linux maskinen, men altså ikke noe passord. Det er derfor kjekt med to linjer til:add user script = /root/bin/samba-adduser %u (må du lage selv) delete user script = /usr/sbin/userdel -r %uLegg så linux maskinen til i domenet, og kjør:$ smbpasswd -j DOMAIN -r DOMAIN-PDCOg den gode nyheten er at dette virker mot Win 2000 også :) http://www.cs.virginia.edu/~cj9r/DOMAIN_MEMBER.html
Eksempel på konfig.
Har satt opp samba 2.2.2 og winbind, så brukere blir autentisert mot en NT pdc. smb.conf:[global] workgroup = GRIMSTAD netbios name = LINUXRUTER server string = ADSL Ruter interfaces = 192.168.0.1 bind interfaces only = Yes security = domain encrypt passwords = Yes update encrypted = Yes obey pam restrictions = Yes password server = 192.168.0.10 pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* \ %n\n *passwd:*all*authentication*tokens*updated*successfully* unix password sync = Yes log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No printing = lprng winbind uid = 10000-20000 winbind gid = 10000-20000 winbind cache time = 10 template shell = /bin/bash template homedir = /home/%D/%U [homes] comment = Home Directories valid users = %S read only = No create mask = 0664 directory mask = 0775 browseable = Yes [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [tmp] path = /tmp read only = No guest ok = Yes /etc/nsswitch.conf er oppdatert passwd: files winbind shadow: files winbind group: files winbind og diverse pam configurasjoner er oppdatert, eks. /etc/pam/sshd #%PAM-1.0 auth sufficient /lib/security/pam_winbind.so auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok account required /lib/security/pam_winbind.so password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022 session required /lib/security/pam_limits.so session optional /lib/security/pam_console.soDet som nå er gøy, er at folk kan logge seg in via ssh, med sitt windows domene\brukernavn og passord, ingen windows brukere er lagt inn lokalt på windows maskinen, winbind tar seg av dette. og pam_mkhomedir lager hjemmekatalogen automatisk.. Så kan jeg browse katalogene fra en windows maskin, siden jeg er logget inn på NT domenet, sendes brukernavn\passord til samba maskinen, og autentiserer meg, som f.eks. GRIMSTAD\Nils Olav, og jeg får se katalogene som er delt ut til alla, samt hjemme katalogen min. Hjemme- katalogen får jeg derimot aldri lov å gå ned i! loggene sier[2002/01/21 14:58:53, 0] smbd/service.c:make_connection(239) nilsolav (148.121.170.86) couldn't find service grimstad/nils olavNoen ideer?
Configure Samba to integrate Windows and Linux, with help from Jack
Her er en fremgangsmåte lastet ned fra TechRepublic(dått kom)
"The Samba software suite is a collection of programs that implements the Server Message Block (commonly abbreviated as SMB) protocol for UNIX systems. This protocol is sometimes also referred to as the Common Internet File System (CIFS), LanManager or NetBIOS protocol."
Why use Samba?
Simply put, Samba is a means by which you can integrate Linux into a Windows environment. Samba is capable of providing:
Windows NT and LAN Manager-style file and print services to SMB clients, such as Windows 95, Warp Server, SMBFs, and others. A NetBIOS (rfc1001/1002) name server, which, among other things, gives browsing support (Samba can be the master browser on your LAN, if you want). An FTP-like SMB client, which allows you to access PC resources (disks and printers) from UNIX, NetWare, and other operating systems. A tar extension to the client for backing up PCs. A limited command-line tool that supports some of the NT administrative functionality, which can be used on Samba, NT Workstation, and NT Server.The team of developers who work with Samba consists of about 20 people from around the globeall focused on the ongoing development of the Samba suite.
Isn't Samba difficult to install and configure?
No. If you can administer a network, you can install and configure Samba and many of its protocols quickly, efficiently, and without harm to your networkcovertly if you will. (Insert quiet yet maniacal laughter.)Thus it begins
I'll make a couple of assumptions here. The first is that you have a working network, and the second is that both your Windows clients (for sake of ease, we're going to deal only with Windows 9x) and your Linux clients are working properly on this network. I'll also assume that you plan to use Linux as your server and your Windows machines as your clients.
So, with the ability to Telnet and FTP into your Linux machine (using host names that were configured in the /etc/hosts file), you're ready to begin configuring the Linux side of Samba.
Server configuration
The first step in configuring the Linux side of Samba is to create a new account (smbusers) and a new group (smb). The account smbusers won't be logged in to, so it's best to disable login. The easiest way to create these accounts is through linuxconf as root. Once you've created them, you'll need to change some permissions and ownerships for the accounts.
Make sure that you have a directory called /home/public. If you don't, create it. (Don't worry, I'll wait.) In case you're not sure how, type
mkdir /home/publicand you'll be fine.Now that you have the directory /home/public, let's make some changes to permissions and ownerships. First, make sure that /home/public is owned by smbuser. In addition, it should belong to the smb group, and the permissions should be set (as root) like so:
chown smbusers:smb /home/publicand thenchmod 2777 /home/publicNow, any file that's created in /home/public is owned by the smb group.The primary and most difficult configuration for Samba involves the smb.conf file, which is located in the /etc directory in Linux. At first glance, this file is rather cumbersome, and it's often completely rewritten.
Out of the box, smb.conf looks somewhat like this:
[global] #the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!), most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentary and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command #"testparm" # to check that you have not made any basic syntactic errors. # #==============Global Settings================== # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the "loopback" interface. For more examples of the syntax see # the smb.conf man page ; hosts allow = 192.168.1. 192.168.2. 127. # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap # It should not be necessary to spell out the print system type unless # yours is non-standard. Currently supported print systems include: # bsd, sysv, plp, lprng, aix, hpux, qnx ; printing = bsd # Uncomment this if you want a guest account, you must add this to /etc/passwd # otherwise the user "nobody" is used ; guest account = GUEST # this tells Samba to use a separate log file for each machine # that connects log filep = /var/log/Samba/log.%m # Put a capping on the size of the log files (in Kb). # security_level.txt for details. # Use password server option only with security = server ; password server =# Password Level allows matching of _n_ characters of the password for # all combinations of upper and lower case. ; password level = 8 ; username level = 8 # You may wish to use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. # Do not enable this option unless you have read those documents ; encrypt passwords = yes ; smb passwd file = /etc/smbpasswd # The following are needed to allow password changing from Windows to # update the Linux system password also. # NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above. # NOTE2: You do NOT need these to allow workstations to change only # the encrypted SMB passwords. They allow the UNIX password # to be kept in sync with the SMB password. ; unix password sync = Yes ; passwd program = /usr/bin/passwd %u ; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passw ;d:*all*authentication*tokens*updated*successfully* # UNIX users can map to different SMB User names ; username map = /etc/smbusers # Using the following line enables you to customize your configuration # on a per-machine basis. The %m gets replaced with the netbios name # of the machine that is connecting ; include = /etc/smb.conf.%m # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options workgroup = NAME guest account = GUEST encrypt passwords = no password level = 0 preferred master = no os level = 0 null passwords = no dead time = 0 debug level = 0 domain master = no load printers = no [public] comment = Public Stuff path = /home/ public = yes writable = yes printable = no write list = @staff This file is responsible for defining everything that occurs on the Linux side of Samba and, as it stands, is a task to piece together. I'm going to try to ease that burden a bit.
A more modest (and easier to explain) smb.conf (and the one that we're going to work with) looks like this:
[global] printing = bsd load printers = yes log file = /var/log/Samba-log.%m lock directory = /var/lock/Samba workgroup = WORKGROUP_NAME encrypt passwords = no [public] comment = Public Stuff path = PATH_TO_THE_DIRECTORY_TO_SHARE public = yes writable = yes printable = no [printers] printcap name = /etc/printcap comment = PRINTER_COMMENT path = /var/spool/Samba browseable = no guest ok = yes writable = no printable = yes [ljet] comment = PRINTER_COMMENT security = server path = /var/spool/Samba printer name = lp writable = yes guest okay = yes public = yes printable = yes print command = lpr -r -h -P %p %s create mode = 0700Let's examine this file section.
[global]
The [global] section of the smb.conf file handles the basic (and primary) Samba configurations that will be shared by all the resources. Within this section, you'll see entries that cover printing, logs, workgroups, guest accounts, passwords, and a few low-level command entries.
The [global] section of smb.conf contains some key entries for the implementation of Samba. The first entry
printing = bsdtells our Samba server what type of printing we are dealing within this case, bsd. The second entry allows the Samba server to load the printers that are outlined in the various printer sections (in our example, [printers] and [ljet]).The next most important entry in the [global] section is
workgroup = WORKGROUP_NAMEThis section should be very familiar to the avid Windows networking fan. Within your Windows networking environment, your net is set up as a workgroup. You enter the name of this workgroup here.
The entry
encrypt passwords = nois key to allowing your Samba server to communicate with your Win 9x machine. After the later releases of Windows 95, Microsoft started encrypting passwords, which pulled a bit of a snafu on the Samba project. Samba uses unencrypted passwords by default. (Win 9x uses encrypted by default.) You can't browse servers when either the client or server is using encrypted passwords because a connection can't be made anonymously. You can solve this problem in one of two ways: Make Samba deal with encrypted passwords or make Win 9x deal with unencrypted passwords. The latter approach is, by far, the easier. To make Samba use encrypted passwords, you have to create a matching password file, /etc/smbpsswd, and then make the initial connection with the appropriate authentication. To get the initial connection, enter the share name manually in the Windows File Manager or Explorer dialog box, in the form:\\<hostname>\<sharename>Log on to the server with a username and password that are valid on the server.
For our purposes, it's best to have both server and clients working with unencrypted passwords. It will save a great deal of time and won't sacrifice the security of your network (as long as you have security on your network).
Note: You'll have to make a simple registry edit to enable Windows to work with unencrypted passwords.
[public]
The [public] section allows the Samba server to specify which directory will be shared out to the public. You'll have to make a few choices: Do you open the entire server up to the public, do you limit the public on what it can see, and to what level do you limit the public? This "limitation" will depend on two things: how well you trust those who share the server and how secure you need to keep certain files and directories on your server.
For example, say that you want the "public" to be able to read the entire drive on your server. Your path = statement will look like this:
path = /This approach is not advisable for anyone administering a network when multiple users are involved. The best strategy is to put all the files and directories into a single directorysay, /usr/publicand allow that directory to be shared to the public:
path = /usr/publicFor a bit of security, you can allow only members of a specific group to write to the directory by adding the following entry to the [public] section:
write list = @GROUP_ALLOWEDThis little entry will ensure that only GROUP_ALLOWED will be able to write to the /usr/public directory.
[printers] and [ljet]
The last two sections of the smb.conf file ([printers] and [ljet]) define the printers to be shared via Samba. Printing with Samba can be rather tricky. The important thing to remember is that you send the files to be printed to a specified directory (in this case, /var/spool/Samba) and execute the print command (in this case, print command = lpr -r -h -P %p %s) on that file.I'll examine a few important entries in the printer sections of smb.conf. The entry
printcap name = /etc/printcapdictates to the server where the system's printcap file resides. (The printcap file is the configuration file for the system's printer.)
The second important section is the path to the directory where the printer jobs will be spooled. As mentioned above, this entry is
path = /var/spool/SambaIt will ensure that all print jobs are spooled in the above directory. The final critical entry in the printer section is the print command entry:
print command = lpr -r -h -P %p %sIt will run the proper print command on the job that's sent to the /var/spool/Samba directory.
The remainder of the printer sections should be self-explanatory.
Finishing up
The final step on the Linux side (after saving the /etc/smb.conf file) is to start the smb daemons. To invoke the necessary daemons (smb and nmb), run the following command as root:
/etc/rc.d/init.d/smb startYou should receive the following:Starting SMB services: [ OK ] Starting NMB services: [ OK ]Once these services are in place, it's time to turn your attention to Windows.
First, make sure that your computer's Ethernet device is working properly. Then, check to see that the name and workgroup name are configured properly. In the Network properties sheet (Control Panel | Network), select the Identification tab and enter both the computer name and the workgroup. (The workgroup is very important and will be reflected in the smb.conf file on Linux.)
Once you've properly named the machine, select the Access Control tab and make sure that share-level access control is enabled. Finally, back on the Configuration tab, go to the File And Print Sharing section and make sure that both options are selected.
Now that you've configured identity and access, move over to the properties of your Ethernet adapter and make sure that the IP address and Subnet Mask are correct for that machine. On the WINS Configuration tab, select the option Enable WINS Resolution and enter all the IP addresses of the machines on your network. Next, on the Gateway tab, enter the gateway address of the Linux server. Then, on the DNS Configuration tab, enter the host name (the name of that machine), the Domain name (the domain of your network), and DNS Servers, if necessary.
Once you've entered all this information, click Apply and click OK. At this point, let Windows reboot. Then, you should be able to see the newly configured Samba server in Network Neighborhood. Double-click that icon and see if you can browse your Linux file server as if it were any old Windows machine.
Printing
You already have your smb.conf file set up and ready for printing. If your printing is taken care of through a Windows machine, you've finished. If your printing needs are met through your Linux server, then you have to configure your Windows machines to print from that particular box. The only thing left to configure is the Windows side of life. Use the Printers applet (in Control Panel) to configure the printer. Click the Add Port button, choose Network, and browse on over to the machine that holds your printer. Once you've added the port, select the General tab and run a test print job. Simple.