Linux Patch Management: Keeping Linux Systems Up To Date
RHEL includes Red Hat's graphical configuration tool for Samba, system-config-samba, which you can install from the RPM of the same name. Before you use this tool to modify your configuration, back up the files in your /etc/samba directory.
Also known as the Samba Server Configuration utility, you can use this tool to set basic global parameters and configure shared directories. You can start it from a GUI command line with the system-config-samba command, or you can choose System (or KDE Main Menu) | Administration | Server Settings | Samba. You saw the basic tool back in Figure 10-3.
This tool is straightforward. You can configure general Samba directives such as security level and workgroup through the Preferences | Server Settings command. The Add button enables you to set up a new share.
You can also use this tool to configure Samba usernames and passwords. In other words, you can use this tool to configure your smb.conf file as well as Samba usernames and passwords through the smbusers and smbpasswd files in the /etc/samba directory.
There are drawbacks to the Samba Server Configuration utility. For example, you can't use it to edit all global parameters or share printers. You can't use it to set a Samba member server to join a domain.
The Samba Server Configuration utility may not do everything you need. To configure most global settings, special printer shares, to join a domain, to control Samba services, your fastest option is to work from the command line interface.
Global Settings
To see what the Samba Server Configuration utility can do to the global settings in the smb.conf configuration file, choose Preferences | Server Settings. As you can probably guess from Figure 10-7, the basic settings set the workgroup and server string directives.
When you use this utility and assign default variables, it erases the variable from your smb.conf file. For example, if you set the workgroup name to WORKGROUP, this utility erases the workgroup command line from smb.conf. Therefore, it's an excellent idea to back up smb.conf before using the Samba Server Configuration utility.
In contrast, the Security tab supports a few more settings, as you can see in Figure 10-8. The entries are fairly straightforward. If you want more information on these variables, refer to the discussion on smb.conf earlier in this chapter:
-
Authentication Mode sets the security value in /etc/samba/smb.conf. The default is user.
-
Authentication Server sets up the location of the password server. There is no default.
-
The Kerberos Realm is associated with an Active Directory user/password database and can be assigned only if security = ads.
-
Encrypt Passwords is associated with the variable of the same name. The default is yes.
-
Guest Account is associated with the variable of the same name. The default is nobody.
On the Job | If you've selected a default, you may still see the variable in the smb.conf file in comments. Alternatively, you may see the variable in an unexpected location relative to the default comments. |
Share Settings
Click the Add Share button. This opens the Create Samba Share window shown in Figure 10-9. The Basic tab helps you define the basic parameters associated with the share:
-
Directory defines the directory that you want to share, using the path variable.
-
By default, the Share Name is taken from the last part of the directory name. For example, if you're sharing the /usr/share/to/path1, Samba designates [path1] as the share name. You can also assign your own share name.
-
Description allows you to define the comment that users can see in the browse list.
-
Basic permissions lets you set writable as yes or no; read only (writable=no) is the default. (This is another case where two spellings for the same variable are acceptable; writeable is also an acceptable spelling in smb.conf.) The visible option, if activated, makes the share browsable.
The Access tab is simpler; it allows you to limit access to specific users from the smbpasswd configuration file. In other words, you can only limit access to users from the Samba password database. Once you've clicked OK, the Samba Server Configuration tool automatically updates the smb.conf configuration file.
Samba Users
The Samba Server Configuration tool also allows you to configure Samba users, based on the users already present in your /etc/passwd configuration file. Unfortunately, it can use only local password databases as of this writing. However, that's good enough to configure Microsoft usernames on this computer. To add Samba users from the Samba Server Configuration tool, choose Preferences | Samba Users. This opens the Samba Users window shown in Figure 10-10.
As you can see, this window includes a list of currently configured Samba users. Click Add User. This opens the Create New Samba User window shown in Figure 10-11, where you can:
-
Select an existing username from /etc/passwd.
-
Enter the corresponding Microsoft Windows username.
-
Set up a password for that Samba user. It can be different from that user's Linux password.
Click OK when you're done. Naturally, you can also change the Windows username and password for each Samba user, or even delete Samba users with the Edit User and Delete User buttons in the Samba Users window. Click OK to exit from the Samba Users window.
Creating a Public Share
Now you can create a public access share for use with the entire network. For the purpose of this chapter, create the /home/PublicShare directory. From the mail Samba Server Configuration screen, click Add Share to open the Create Samba Share window.
Enter the directory that you want to share, /home/PublicShare, in the Directory text box. Enter an appropriate Description, and select Writable and Visible. In the Access tab, select the Allow Access To Everyone option. Click OK, and exit from the Samba Server Configuration tool with the File | Quit command.
Now you'll have to finish the task directly from the text editor. The instructions so far add the following commands in the /etc/samba/smb.conf configuration file:
[PublicShare] comment= Shared Public Directory path = /home/PublicShare writeable = yes browseable = yes guest ok = yes
You may want to modify these commands. Assume the [PublicShare] should be accessible to all users with a Linux account on your computer. It should also deny access to guest users and others. You want to provide access to anyone in your domain (.myCompany.com), and you want to deny access to a suspect computer (say, evil .crackers.com). Finally, your shares should be browsable to valid users.
To make this happen, change the last command in this stanza. As guest ok = no is the default, you can just erase the guest ok = yes directive command or change the value appropriately. To provide access to all users in the given domain, add the following command:
hosts allow = .myCompany.com
If you wanted to deny access to one specific computer on that network, you could add EXCEPT evil.crackers.com to the end of this command. Alternatively, if this domain is on the 192.168.99.0 network, you could use one of the following commands:
hosts allow = 192.168.99. hosts allow = 192.168.99.0/255.255.255.0
You could specifically deny access to computers with a command such as the following:
hosts deny = evil.crackers.com
Or you could substitute IP addresses in the same format as with the hosts allow directive. You've defined the share attributes in the Samba smb.conf configuration file. But you need to modify the directory associated with the share with the following command:
# chmod 1777 /home/PublicShare
The digit 1 in front of the 777 directory permission string is known as the "sticky bit." By enabling the sticky bit, you are saying that anyone can do anything in the directory (because of the 777 permission value) but only to files they create! Otherwise, any user could delete or rename any file in the /home/PublicShare directory, regardless of the file's owner.
Testing Changes to /etc/samba/smb.conf
After making any changes to /etc/samba/smb.conf, you should always test your system before putting it into production. You can do a simple syntax check on the Samba configuration file with the testparm test utility, as shown in Figure 10-12. This does not actually check to determine whether the service is running or functioning correctly; it checks only basic text syntax and command stanzas.
Exercise 10-5: Configuring Samba with Shares
In this exercise, you'll configure Samba to do something useful: sharing a directory and any configured printers. For this purpose, you can't use the Samba Server Configuration tool; therefore, you'll need to edit the /etc/samba/smb.conf file directly in a text editor.
-
Install the Samba RPMs as described earlier in this chapter.
-
Create a /home/ftp/public directory. Change ownership to the ftp user and group, with full permissions (770).
-
Open the /etc/samba/smb.conf file in a text editor.
-
Configure Samba to share all installed print queues to all users. Normally the default [printers] stanza in smb.conf should suffice. But there's an error in the path directive (there is no /user/spool/samba.directory), corrected in bold. And, as you're about to create a guest account, add the last command shown here:
[printers] comment = All printers path = /var/spool/samba browseable = no printable = yes guest ok = yes
-
Configure Samba to share as public, in read-only mode, the /home/ftp/pub directory tree. In the Share Definitions section, you could add the following commands:
[pub] comment = shared FTP directory path = /home/ftp/pub
-
Allow guest access to all public shares. In smb.conf, this means adding the following line to the [pub] stanza:
guest ok = yes
-
Since you're about to create a guest account, you'll need to activate the following command in smb.conf:
; guest account = pcguest
-
Create a guest account for pcguest, associate it with an unused UID and GID 600. (If you already have a user with this ID, substitute an unused ID number.) Set the password to be "anonymous." While you can do this with the Red Hat User Manager discussed in Chapter 6, the quickest way to do this is with the following commands:
# useradd pcguest -u 600 # passwd pcguest
-
Create separate log files for each computer host that connects. This is already active by default with the following command:
log file = /var/log/samba/%m.log
-
If you have a WINS server configured, authorize Samba to participate as a WINS client. Use the IP of that WINS server. While you don't want to enable the wins support command, you do want to point the wins server command to the IP address of your WINS server (substitute for 10.11.12.13):
wins server = 10.11.12.13
-
Write and save your changes to the smb.conf file.
-
You can see if Samba is already running with the service smb status command. If it's stopped, you can start it with the service smb start command. If it's running, you can make Samba reread your configuration file with the following command:
# service smb reload
This final option allows you to change your Samba configuration without disconnecting users from your Samba server.