Modifying the Samba smb.conf Configuration File
The Samba configuration file, /etc/samba/smb.conf, defines important parameters for Samba-based file sharing. After you have verified the Samba integration with the Authentication Service and Active Directory using a sample configuration file and the test share, you need to modify the smb.conf file so that it accurately represents your environment.
This smb.conf file must include the [global] section that defines the Active Directory domain, authentication methods, and other parameters. The file should also include a section for each directory you are making accessible as a SMB share.
At the beginning of a line, both the hash symbol (#) and the semi-colon (;) indicate lines to ignore. By convention, in this file, the hash indicates a comment and the semi-colon indicates a parameter you may wish to enable.
If you specify multiple users in valid users, user names can be separated by a comma or by white space.
The settings in the [global] section are required whether you use the sample configuration file or create your own smb.conf file. The settings in the [homes] section indicate that you want to share home directories, and the [samba-test] section describes the samba-test share as a publicly-writable share mapped to the /samba-test directory. For more information about editing the Samba configuration file and the supported parameters, see the Samba documentation.
A sample Samba smb.conf Configuration File
The adbindproxy script tests to determine what operating system is running on the host and generates an smb.conf file appropriate to that platform.
In the following sample file, it runs on a CentOS computer in the arcade.net domain and the Samba share is called MyShare.
#
# This file was generated by ADBindProxy Utility
#
[global]
security = ADS
realm = ARCADE.NET
workgroup = ARCADE
netbios name = centos-6
auth methods = guest, sam, winbind, ntdomain
machine password timeout = 0
passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
#
# Samba versions 3.4.0 and newer have replaced "use kerberos keytab"
# with "kerberos method". The directive "kerberos method = secrets and keytab"
# enables Samba to honor service tickets that are still valid but were
# created before the Samba server's password was changed.
#
kerberos method = secrets and keytab
#
# Setting "client use spnego principal" to true instructs SMB client to
# trust the service principal name returned by the SMB server. Otherwise,
# client cannot be authenticated via Kerberos by the server in a different
# domain even though the two domains are mutually trusted.
#
# client use spnego principal = true
#
# Setting send spnego principal to yes .
# Otherwise, it will not send this principal between Samba and Windows 2008
#
# send spnego principal = Yes
# If your Samba server only serves to Windows systems, try server signing = mandatory.
server signing = auto
client ntlmv2 auth = yes
client use spnego = yes
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
idmap cache time = 0
# ignore syssetgroups error = No
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000
idmap config * : base_tdb = 0
enable core files = false
# Disable Logging to syslog, and only write log to Samba standard log files.
#syslog = 0
[samba-test]
path = /samba-test
public = yes
# if set public = No, we should set parameter valid users .
# and when the user or group is in AD , the setting syntaxes is:
# valid users = CPUBS\username +CPUBS\group
writable = yes
[MyShare]
path = /samba-test
browsable = yes
writable = yes
guest ok = yes
read only = no
[homes]
comment = Home directories
read only = No
browseable = No
SMB.conf File Variations for Different Platforms
Some platforms will have slight variations in the smb.conf file, as follows:
-
On HP-UX computers, the following line is added:
guest account = smbnull -
On SuSE computers, the following lines are added:
# Suse 11 CUPS printing appears to crash at start up
# So we disable printing on this platform for now
printing = BSD
- On AIX computers, the following comments are added:
#
# On AIX, the service NMBD may fail to start because Samba
# cannot determine the correct IP subnet mask.
# In this case, you can manually specify the correct subnet mask.
# For example if you have the following configuration:
#
# Interface = eth0
# IP Address = 192.168.97.199
# Subnet mask = 255.255.252.0
#
# then set the interfaces keyword as follows:
#
# interfaces = eth0 192.168.97.199/255.255.252.0
#
Testing Changes to the smb.conf File
When you make changes to the smb.conf file, you should run the Samba utility testparm to make sure there are no errors in your smb.conf file before putting it into production use. When you run the testparm utility, you should see output similar to the following:
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[samba-test]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = ARCADE
realm = ARCADE.NET
security = ADS
auth methods = guest, sam, winbind, ntdomain
passdb backend = tdbsam:/etc/samba/private/passdb.tdb
syslog = 0
enable core files = No
server signing = auto
machine password timeout = 0
adbindproxy backend = cdc:/usr/share/centrifydc/lib/libcapi.so
adbindproxy standard mappers = No
template shell = /bin/bash
winbind use default domain = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /usr/spool/samba
printable = Yes
browseable = No
[samba-test]
path = /samba-test
read only = No
guest ok = Yes