|Securing and Optimizing Linux: RedHat Edition -A Hands on Guide|
|Prev||Chapter 31. Software -Server/File Sharing-Network||Next|
The /etc/smb.conf file is the main configuration file for the Samba server, in which you can specify which directory you want to access from Windows machines, which IP addresses are authorized, and so on. The first few lines of the file under the [global] line contain global configuration directives, which are common to all shares, unless they are over-ridden on a per-share basis, followed by share sections. A lot of options exist, and it's important to read the documentation that comes with Samba for more information on each of the different settings and parameters.
The following configuration example is a minimal working configuration file for Samba with encrypted password support. Also, it's important to note that we comment in this Samba configuration only parameters that relate to security and optimization, and left other posiblities for you to explore.
In our example we have created just one directory, [tmp] and have allowed only class C machine IP address ranges to connect on the Samba server. Also, we don't use print-sharing capability between Samba and Windows on this server. Edit the smb.conf file, vi /etc/smb.conf and add/change the following parameters:
[global] workgroup = OPENNA server string = R&D of Open Network Architecture Samba Server encrypt passwords = True security = user smb passwd file = /etc/smbpasswd log file = /var/log/samba/log.%m socket options = IPTOS_LOWDELAY TCP_NODELAY domain master = Yes local master = Yes preferred master = Yes os level = 65 dns proxy = No name resolve order = lmhosts host bcast bind interfaces only = True interfaces = eth0 192.168.1.1 hosts deny = ALL hosts allow = 192.168.1.4 127.0.0.1 debug level = 1 create mask = 0644 directory mask = 0755 level2 oplocks = True read raw = no write cache size = 262144 [homes] comment = Home Directories browseable = no read only = no invalid users = root bin daemon nobody named sys tty disk mem kmem users [tmp] comment = Temporary File Space path = /tmp read only = No valid users = admin invalid users = root bin daemon nobody named sys tty disk mem kmem users
This tells the smb.conf file to set itself up for this particular configuration setup with:
The option workgroup specifies the workgroup your server will appear to be in when queried by clients. It's important to have the same workgroup name on both clients and servers.
The option server string specifies the string that you wish to show to your users in the printer comment box in print manager, or to the IPC connection in the net view command under Windows machines.
The option encrypt passwords if set to True instructs Samba to use encrypted passwords instead of plain text password when negotiating with the client. Sniffer program will not be able to detect your password when it is encrypted. This option always must be set to True for security reasons.
The option security, if set to user, specifies that a client must first log-on with a valid username and password, or the connection will be refused. This means that a valid username and password for the client must exit in your /etc/passwd file on the Linux server and in the /etc/smbpasswd file of the Samba server, or the connection from the client will fail. See Securing samba in this chapter for more information about the smbpasswd file.
The option smb passwd file specifies the path to the encrypted smbpasswd file. The smbpasswd file is a copy of the /etc/passwd file of the Linux system containing valid usernames and passwords of clients allowed to connect to the Samba server. The Samba software reads this file, smbpasswd when a connection is requested.
The option log file specifies the locations and names of Samba log files. With the name extension %m, it allows you to have separate log files for each user or machine that logs on your Samba server i.e. log.machine1.
The option socket options specifies parameters that you can include in your Samba configuration to tune and improve your samba server for optimal performance. By default we chose to tune the connection for a local network, and improve the performance of the Samba server for transferring files.
The option domain master specifies to set nmbd, the Samba server daemon, as a domain master browser for its given workgroup. This option usually must be set to Yes only on one Samba server for all other Samba servers on the same network and workgroup.
The option local master allows nmbd, the Samba server daemon, to try to become a local master browser on a subnet. Like the above, usually this option must be set to Yes only on one Samba server that acts as a local master on a subnet for all the other Samba servers on your network.
The option preferred master specifies and controls if nmbd the Samba server daemon, is a preferred master browser for its workgroup. Once again, this must usually be set to Yes on one server for all the others on your network.
The option os level specifies by its value whether nmbd, the Samba server daemon, has a chance of becoming a local master browser for the Workgroup in the local broadcast area. The number 65 will win against any NT Server. If you have an NT Server on your network, and want to set your Linux Samba server to be a local master browser for the Workgroup in the local broadcast area then you must set the os level option to 65. Also, this option must be set only on one Linux Samba server, and must be disabled on all other Linux Samba servers you may have on your network.
The option dns proxy if set to Yes specifies that nmbd, the Samba server daemon, when acting as a WINS server and finding that a Net BIOS name has not been registered, should treat the Net BIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client. Since we have not configured the Samba server to act as a WINS server, we don't need to set this option to Yes. Also, setting this option to Yes will degrade your Samba performance.
The option name resolve order specifies what naming services to use in order to resolve host names to IP addresses, and in what order. The parameters we chose cause the local lmhosts file of samba to be examined first, followed by the rest.
The option bind interfaces only if set to True, allows you to limit what interfaces will serve smb requests. This is a security feature. The configuration option interfaces = eth0 192.168.1.1 below completes this option.
The option interfaces allows you to override the default network interface list that Samba will use for browsing, name registration and other NBT traffic. By default, Samba will query the kernel for the list of all active interfaces and use any interface, except 127.0.0.1, that is broadcast capable. With this option, Samba will only listen on interface eth0 on the IP address 192.168.1.1. This is a security feature, and completes the above configuration option bind interfaces only = True.
The option hosts deny specifies the list of hosts that are not permitted access to Samba services unless the specific services have their own lists to override this one. For simplicity, we deny access to all hosts by default, and allow specific hosts in the hosts allow = option below.
The option hosts allow specifies which hosts are permitted to access a Samba service. By default, we allow hosts from IP class C 192.168.1.4 and our localhost 127.0.0.1 to access the Samba server. Note that the localhost must always be set or you will receive some error messages.
The option debug level allows the logging level to be specified in the smb.conf file. If you set the debug level higher than 2 then you may suffer a large drop in performance. This is because the server flushes the log file after each operation, which can be very expensive.
The option create mask specifies and sets the necessary permissions according to the mapping from DOS modes to UNIX permissions. With this option set to 0644, all file copying or creating from a Windows system to the Unix system will have a permission of 0644 by default.
The option directory mask specifies and set the octal modes, which are used when converting DOS modes to UNIX modes when creating UNIX directories. With this option set to 0755, all directory copying or creating from a Windows system to the Unix system will have a permission of 0755 by default.
The option level2 oplocks, if set to True, will increase the performance for many accesses of files that are not commonly written, such as .EXE application files.
The option read raw controls whether or not the server will support the raw read SMB requests when transferring data to clients. Note that memory mapping is not used by the read raw operation. Thus, you may find memory mapping is more effective if you disable read raw using read raw = no, like we do.
The option write cache size allows Samba to improve performance on systems where the disk subsystem is a bottleneck. The value of this option is specified in bytes, and a size of 262,144 represent a 256k cache size per file.
The option comment allows you to specify a comment that will appear next to a share when a client does queries to the server.
The option path specifies a directory to which the user of the service is to be given access. In our example this is the tmp directory of the Linux server.
The option read only specifies if users should be allowed to only read files or not. In our example, since this is a configuration for the tmp directory of the Linux server, users can do more than just read files.
The option valid users specifies a list of users that should be allowed to login to this service. In our example only the user admin is allowed to access the service.
The option invalid users specifies a list of users that should not be allowed to login to this service. This is really a paranoid check to absolutely ensure an improper setting does not breach your security. It is recommended that you include all default users that run daemons on the server.