The central Samba configuration file is smb.conf, and it is usually located in Samba's lib directory (for example, /usr/local/lib). However, some distributions put the configuration file in an etc directory, such as /etc/samba or /usr/local/etc. The smb.conf file breaks down into several sections denoted with square brackets (such as [global] and [printers]).
The [global] section in smb.conf contains general options that apply to the entire server and all shares. These options pertain primarily to network configuration and access control. Here is a sample [global] section that shows you how to set the server name, description, and workgroup:
[global] # server name netbios name = name # server description server string = My server via Samba # workgroup workgroup = MYNETWORK
These parameters work as follows:
netbios name The server name. If you omit this parameter, Samba uses the Unix hostname.
server string A short description of the server. The default is the Samba version number.
workgroup The SMB workgroup name. If you're on a Windows NT domain, set this parameter to the name of your domain.
There are a few options that you can add to your smb.conf file to put limits on the machines and users that can access your Samba server. The following list includes many options that you can set in your [global] section, as well as in the other sections that control individual shares (described later in the chapter):
interfaces Set this to have Samba listen on the given networks or interfaces. Here are two examples:
interfaces = 10.23.2.0/255.255.255.0 interfaces = eth0
bind interfaces only Set this to yes when using the interfaces parameter in order to limit access to machines that you can reach on those interfaces.
valid users Set this to allow the given users access. For example:
valid users = jruser, bill
guest ok Set this parameter to true if you would like a share to be available to anonymous users on the network.
guest only Set this parameter to true to allow anonymous access only.
browseable Set this to make shares available in Samba's browseable share list. If you set this parameter to no for any or all shares, you will still be able to access shares on the Samba server, but they will not be browseable, and therefore you will need to know their exact names.
In general, you only want to allow access to your Samba server with password authentication. Unfortunately, the basic password system on Unix is different than that on Windows, so unless you specify clear-text network passwords or authenticate passwords with a Windows server, you must set up an alternative password file. This section shows you how.
Assuming that your Samba configuration directory is /etc/samba, you can use these entries in your [global] section to define the Samba password file as /etc/samba/passwd_smb:
# use a separate password file for Samba to enable encrypted passwords security = user encrypt passwords = yes smb passwd file = /etc/samba/passwd_smb
With these lines in place, you can manipulate the passwd_smb password file with the smbpasswd program.
If you have access to a Windows NT domain, you can set security = domain, to make Samba use the domain's usernames and eliminate the need for an SMB password file. However, in order for domain users to access the machine running Samba, each domain user must have a local account with the same username on the machine running Samba.
The first thing you need to do in order to give a Windows user access to your Samba server is to add the user to the passwd_smb file with the smbpasswd -a command:
smbpasswd -a username
The username parameter to the smbpasswd command must be a valid username on your Linux system.
Much like the regular system's passwd program would, smbpasswd asks you to enter the new user's password twice. If the Samba password file does not exist, smbpasswd creates it for you, then confirms that it has created the new user.
To remove a user, use the -x option to smbpasswd:
smbpasswd -x username
At times, you may not necessarily want to delete a user, but rather, temporarily deactivate the user. The -d option disables a user; and -e re-enables the user:
smbpasswd -d username smbpasswd -e username
You can change a Samba password as the superuser by using smbpasswd with no options or keywords other than the username:
However, if the Samba server is running, any user can change their own Samba password by entering smbpasswd by itself on the command line.