Wednesday, October 27, 2010

Managing Samba (Part 3 of 6): Configuration for remote management, part 1

Samba is the bridge between Linux and Microsoft worlds. Samba-3 can help administrators create transparent interoperability of Microsoft Windows client with a Unix or Linux server environment. Even so, seamless interoperability is not easy to achieve, but mastering some Samba configuration tasks helps. So, let's get started with this tutorial on smb.conf.

Use the configuration parameters in the Samba smb.conf configuration control file to permit the transparent management of Samba using tools that are native to the Microsoft Windows environment.

By the way, this is the third installment in a series on Managing Samba. The first article in this series explains how Samba handles Windows security identifiers. The second tip describes user rights and privileges in the Microsoft Windows networking environment.

Anatomy of a Samba configuration

To appreciate the complexity involved in creating transparent interoperability of a Microsoft Windows client with a Unix or Linux environment, open up a system shell on your Samba host server and execute this command:

testparm -sv | more

You will soon discover that there are over 300 parameters that are capable of being set in the smb.conf configuration file. While it may be tempting to discuss every one of them, this is not necessary. Even a complex Samba configuration can usually be accomplished using fewer than 30 specific parameters in the [global] section of the smb.conf file.

The parameters fit into a set of functional categories. The functional categories determine how Samba will interact with Windows networking protocols, how Samba will interact with the underlying Unix file system and how Samba will interface with the host operating system.

In this next section, I'll list some terms that summarize commonlyused configuration parameters.

Base parameters


  • netbios name - sets the machine name (i.e. the computer name). If not set, the name of the host server will be used
  • netbios aliases - can be used to present the Samba server under multiple computer names
  • workgroup - sets the workgroup name (the same as an NT4 domain name)
  • realm - is applicable only when Samba is an Active Directory domain member
  • interfaces - instructs Samba which network interfaces to use -- when used with bind interfaces only = Yes instructs Samba to provide file services (TCP ports 139 or 445) only on the specified interfaces. NetBIOS name resolution services (UDP ports 137 and 138) will work on all interfaces.

Lightweight Directory Access protocol (LDAP) controls

LDAP controls are only necessary when Samba is run as a primary domain controller/backup domain controller (PDC/BDC) combination. Basic mandatory controls when using an LDAP directory to store Samba account credentials include:

  • ldap admin dn - defines the administrative DN needed to write to LDAP
  • ldap suffix - defines the base directory information tree
  • ldap [user,group,machine,idamp] suffix - sets the container in which various accounts records are stored

Logging parameters

The default parameter values are usually adequate and normally used for debugging. Commonly used parameters include:


log level - sets the diagnostic intensity level.

  • Typical values are: 
  • 0 - Record only critical errors 
  • 1 - default 
  • 3 - For debugging simple file system access problems 
  • 5 - For complex system diagnostics 
  • 10 - Permit detailed diagnosis of authentication errors

log file - specifies the name of the log files.

Example: /var/log/samba/%m.log - creates a separate log per client

max log size - sets size limit at which Samba should rotate the log file. The file is renamed to oldfile.log and a new file is created.

System interface scripts

The system interface scripts are called when an external application requires management of host operating system environment information. An external application can be the NT4 Domain User Manager or the Samba net utility. When a Windows client is joined to the domain, the add machine script is called to create the Unix system account that is needed so that the appropriate SambaSAMAccount entry can be created to store the machine trust account information.

Examples of necessary actions include user/group account manipulation, add/edit/delete shares, add/edit/delete printers, call system initialization scripts, etc. The common parameters needed are as follows:


  • Account management: add group script, add machine script, add user script, add user to group script, delete group script, delete user from group script, delete user script, set primary group script, rename user script 
  • Note: Where LDAP is used the scripts specified should be able to manage the directory contents. Where LDAP is not used the normal U system account management tools can be specified. For example: add user scriptl= /usr/bin/useradd -m '%u'.
  • Resource management: add share command, change share command, delete share command, add printer command, delete printer command, abort shutdown script, shutdown script

Samba operating mode parameters

Let's move on to Samba operating mode parameters:


  • domain logons - when set to Yes, Samba will enable the network logon service. This creates the domain control capabilities needed for a PDC/BDC.
  • enable privileges - when set to Yes, enables assignment of rights and privileges. Note: only Samba-3.0.11 and later.
  • logon drive - lets the drive that Windows NT4/200x/XP clients will associate with the execution of network logon scripts. This is the drive to which the home directory will be mounted if net use /home is executed on a Windows client, either in a command shell or from the logon script.
  • logon home - used only by Windows 9x/Me clients.
  • logon script - the logon script that is executed when a user logs onto a domain member client.
  • passdb backend - specifies which backend system Samba will use to store SambaSAMAccount information. The default is smbpasswd, the two common alternatives are tdbsam and ldapsam. Both the ldapsam and the tdbsam types are capable of storing the advanced SambaSAMAccount information. The smbpasswd method is not capable of storing the advanced account information.
  • security - this parameter sets the Samba server mode. Acceptable settings are:
  • user - means Samba is either a standalone server or a domain controller.
  • domain - means Samba is an NT4-style domain member.
  • ads - means Samba is an Active Directory member (uses Kerberos authentication and security, but only as a member -- not as an ADS domain controller.
  • server - means that Samba is not a domain member, but is using an external authentication server. Uses pass-through authentication that has been largely obsolete.
  • domain master - Leave this set at the default value on all systems except a BDC. On a BDC, this parameter must be set to No.

There are many additional parameters that are useful for specific purposes. Refer to the smb.conf online main page for detailed information regarding each parameter.

For the most part, the setting of unnecessary parameters in the smb.conf files is unnecessary and potentially problematic. It is very good advice to keep the smb.conf file as simple as possible.

Now that your appetite is whetted for Samba configuration, I've got a new treat for you. Move on to part two for an example of a Samba PDC configuration. I'm sure you'll find it very satisfying.

Click here to read part two of this tip.

No comments:

Post a Comment