AD SAMBA extends Samba 3 with Active Directory Membership support. This includes:
You should read the complete first part of the manual as it contains security related information. The second part of the manual is “optional reading” which explains those functions which are not vital for all users (but still may be vital for some of you).
What needs to be done:
| Either “adsamba” plugin or the standard “samba3” plugin can be active. |
Upon returning from network restart,
You are now ready to configure your filesystem and join a domain.
The following steps can only be done by an administrator of both, intradisk and Domain.
| Two passwords are needed: The intradisk admin password and the Domain password which allows joining machines to domains. |
Basic configuration tries to tell the intradisk SMB Server all that it needs to know about your network infrastructure and security structure. Basically, what is needed is
Turn to the Kerberos Configuration section:
If you are done with configuration, press “Commit Changes”. You now have 5 minutes to change to “Plugins / adsamba plugin” and finish joining the Domain.
On “Plugins / adsamba plugin” press “Join Windows Domain” to actually join the domain. A log of activities is displayed in case of success or failure.
Once the intradisk is joined to the domain, Windows Users are automatically mapped to the local Unix users management. This management database is located on the harddisk drive in /var/lib/adsamba. This database is important, if it gets lost, Samba automatically creates a new one, which may result in a completely different mapping. As a consequence, Users cannot access their data anymore reliably or user data may become exposed to different users.
Thus this database needs a Backup by some external means, it cannot be backed up to the internal flash memory (size!). To make this backup, the SMB Server should be stopped, the files copied to some secure location. Afterwards, restart the SAMBA Server again.
If the directory /var/lib/adsamba/private is made public with Samba itself it should only be available for Backup Administrators.
The intradisk Server enables the manipulation of UNIX file permissions or POSIX ACLs from Windows NT, XP or Windows 2000 clients. With this capability most management of UNIX file permissions or POSIX ACLs can be done from the familiar Windows Explorer interface.
Now that User names and access are managed by the AD-Server, there should be no Unix account with the same user’s name to avoid confusion! See the “Users” Administration Interface to make sure, that there are no duplicate entries.
| AD Users will not have proper access, if the name also exists as local user. |
Samba Status Information is collected on demand, thus this takes some time. The AD Integration display the state of the three drivers smbd, nmbd and winbindd. All three must be “running”, otherwise SAMBA is not working properly. Try to “Restart AD” under “Plugins adsamba plugin” if one or more service has failed.
If the trust between the intradisk and the Domain PDC gets lost, this may have several reasons, e.g.
The list of local SAMBA servers should include the intradisk itself, if not, other clients will not be able to see the intradisk. This can indicate trouble with NMB.
| The AD Server is preconfigured such that directories for shares are created automatically. - Normal Shares are created at startup of the SAMBA server - Home Shares are created on demand (whenever a User accesses his home share) |
Each section in the configuration file (except for the [global] section) describes a shared resource (known as a “share”). The section name is the name of the shared resource and the parameters within the section define the shares attributes.
There are three special sections, [global], [homes] and [printers]. [homes] is described below, [global] parameters are in the reference. [printers] is naturally not supported.
A share consists of a directory to which access is being given plus a description of the access rights which are granted to the user of the service. Some housekeeping options are also specifiable.
Sections are file share services (used by the client as an extension of their native file systems).
Sections may be designated guest services, in which case no password is required to access them. A specified UNIX guest account is used to define access privileges in this case.
Sections other than guest services will require a password to access them. The client provides the username. As older clients only provide passwords and not usernames, you may specify a list of usernames to check against the password using the user = option in the share definition. For modern clients such as Windows 95/98/ME/NT/2000, this should not be necessary.
The access rights granted by the server are masked by the access rights granted to the specified or guest UNIX user by the host system. The server does not grant more access than the host system grants.
The following sample section defines a file space share. The user has write access to the path /export/bar. The share is accessed via the share name foo:
[foo] path = /export/bar read only = no
If a section called [homes] is included in the configuration file, services connecting clients to their home directories can be created on the fly by the server.
When the connection request is made, the existing sections are scanned. If a match is found, it is used. If no match is found, the requested section name is treated as a username and looked up in the local password file. If the name exists and the correct password has been given, a share is created by cloning the [homes] section.
Some modifications are then made to the newly created share:
If you decide to use a path = line in your [homes] section, it may be useful to use the %S macro. For example:
path = /data/pchome/%S
is useful if you have different home directories for your PCs than for UNIX access.
This is a fast and simple way to give a large number of clients access to their home directories with a minimum of fuss.
A similar process occurs if the requested section name is “homes”, except that the share name is not changed to that of the requesting user. This method of using the [homes] section works well if different users share a client PC.
The [homes] section can specify all the parameters a normal service section can specify, though some make more sense than others. The following is a typical and suitable [homes] section:
[homes] read only = no
An important point is that if guest access is specified in the [homes] section, all home directories will be visible to all clients without a password. In the very unlikely event that this is actually desirable, it is wise to also specify read only access.
The browseable flag for auto home directories will be inherited from the global browseable flag, not the [homes] browseable flag. This is useful as it means setting browseable = no in the [homes] section will hide the [homes] share but make any auto home directories visible.
This reference only describes parameters, which are available through the Web-Interface of AD Samba. For all other parameters please refer to the smb.conf Description of the official SAMBA description.
The Global Parameters are subdivided as follows:
The Parameters configuring Shares:
Global Parameters apply to the configuration of the whole server.
This controls what workgroup your server will appear to be in when queried by clients. Note that this parameter also controls the Domain name used with the security=domain setting.
Default: WORKGROUP
Preconfigured: DOMAIN
Example: workgroup = MYGROUP
This option specifies the kerberos realm to use. The realm is used as the ADS equivalent of the NT4 domain. It is usually set to the DNS name of the kerberos server.
see also: security
Default: realm =
Preconfigured: DOMAIN.LOCAL
Example: realm = MYINTRADISK.MYCOMPANY.COM
By specifying the name of another SMB server or Active Directory domain controller with this option, and using security = [ads|domain|server] it is possible to get Samba to to do all its username/password validation using a specific remote server. This option sets the name or IP address of the password server to use. New syntax has been added to support defining the port to use when connecting to the server the case of an ADS realm.
To define a port other than the default LDAP port of 389, add the port number using a colon after the name or IP address (e.g. 192.168.1.100:389). If you do not specify a port, Samba will use the standard LDAP port of tcp/389. Note that port numbers have no effect on password servers for Windows NT 4.0 domains or netbios connections.
If parameter is a name, it is looked up using the parameter name resolve order and so may resolved by any method and order described in that parameter. The password server must be a machine capable of using the “LM1.2×002” or the “NT LM 0.12” protocol, and it must be in user level security mode.
Notes:
| Do not choose a password server that you don’t completely trust! |
see also: menu_plugins-_ad_samba
Default: password server =
Preconfigured: *
Example: password server = NT-PDC, NT-BDC1, NT-BDC2, *
password server = windc.mydomain.com:389 192.168.1.101 *
password server = *
This sets the NetBIOS name by which a Samba server is known. By default it is the same as the first component of the host’s DNS name. If a machine is a browse server or logon server this name (or the first component of the hosts DNS name) will be the name that these services are advertised under.
See also netbios aliases.
Default: machine DNS name
Example: netbios name = MYNAME
This controls what string will show up in the printer comment box in print manager and next to the IPC connection in net view. It can be any string that you wish to show to your users.It also sets what will appear in browse lists next to the machine name.
Default: server string = Samba %v
Preconfigured: intradisk NASdrive (IP:%$(IPADDR))
Example: server string = University of GNUs Samba Server
This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable. The option takes a list of interface strings. Each string can be in any of the following forms:
The “mask” parameters can either be a bit length (such as 24 for a C class network) or a full netmask in dotted decimal form. The “IP” parameters above can either be a full dotted decimal IP address or a hostname which will be looked up via the OS‘s normal hostname resolution mechanisms.
The following line would configure three network interfaces corresponding to the ixp0 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of the latter two interfaces would be set to 255.255.255.0.
Example: interfaces = ixp0 192.168.2.10/24 192.168.3.10/255.255.255.0
See also bind interfaces only.
Default: all active interfaces except 127.0.0.1 that are broadcast capable
This option affects how clients respond to Samba and is one of the most important settings in the smb.conf file. The option sets the “security mode bit” in replies to protocol negotiations with smbd(8) to turn share level security on or off. Clients decide based on this bit whether (and how) to transfer user and password information to the server.
The default is security = user, as this is the most common setting needed when talking to Windows 98 and Windows NT. The alternatives are security = share, security = server or security=domain. If your PCs use usernames that are the same as their usernames on the UNIX machine then you will want to use security = user. If you mostly use usernames that don’t exist on the UNIX box then use security = share.
You should also use security = share if you want to mainly setup shares without a password (guest shares). This is commonly used for a shared printer server. It is more difficult to setup guest shares with security = user, see the map to guest parameter for details. It is possible to use smbd in a hybrid mode where it is offers both user and share level security under different NetBIOS aliases.
When clients connect to a share level security server they need not log onto the server with a valid username and password before attempting to connect to a shared resource (although modern clients such as Windows 95/98 and Windows NT will send a logon request with a username but no password when talking to a security = share server). Instead, the clients send authentication information (passwords) on a per-share basis, at the time they attempt to connect to that share.
Note that smbd ALWAYS uses a valid UNIX user to act on behalf of the client, even in security = share level security. As clients are not required to send a username to the server in share level security, smbd uses several techniques to determine the correct UNIX user to use on behalf of the client.
A list of possible UNIX usernames to match with the given client password is constructed using the following methods :
iportant
This is the default security setting in Samba 2.2. With user-level security a client must first “log=on” with a valid username and password (which can be mapped using the username map parameter). Encrypted passwords (see the encrypted passwords parameter) can also be used in this security mode. Parameters such as user and guest only if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated.
Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don’t work in user level security without allowing the server to automatically map unknown users into the guest account. See the map to guest parameter for details on doing this.
In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to security = user, but note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the documentation file in the docs/ directory ENCRYPTION.txt for details on how to set this up.
Note that from the client’s point of view security = server is the same as security = user. It only affects how the server deals with the authentication, it does not in any way affect what the client sees.
Note that the name of the resource being requested is not sent to the server until after the server has successfully authenticated the client. This is why guest shares don’t work in user level security without allowing the server to automatically map unknown users into the guest account. See the map to guest parameter for details on doing this.
Not implemented into standard firmware. Ask us for active directory supported intradisk...
In this mode, Samba will act as a domain member in an ADS realm. To operate in this mode, the machine running Samba will need to have Kerberos installed and configured and Samba will need to be joined to the ADS realm using the net utility. Read the chapter about Domain Membership in the HOWTO for details.Note that this mode does NOT make Samba operate as a Active Directory Domain Controller.
This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the file ENCRYPTION.txt in the Samba documentation directory docs/ shipped with the source code.
In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) file (see the smbpasswd(8) program for information on how to set up and maintain this file), or set the security=[server|domain] parameter which causes smbd to authenticate against another server.
Default: encrypt passwords = no
This option only takes effect when the security option is set to server,domain or ads. If it is set to no, then attempts to connect to a resource from a domain or workgroup other than the one which smbd is running in will fail, even if that domain is trusted by the remote server doing the authentication.
This is useful if you only want your Samba server to serve resources to users in the domain it is a member of. As an example, suppose that there are two domains DOMA and DOMB. DOMB is trusted by DOMA, which contains the Samba server. Under normal circumstances, a user with an account in DOMB can then access the resources of a UNIX account with the same account name on the Samba server even if they do not have an account in DOMA. This can make implementing a security boundary difficult.
Default: allow trusted domains = yes
This is a username which will be used for access to services which are specified as guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. Typically this user will exist in the password file, but will not have a valid login. The user account “ftp” is often a good choice for this parameter. If a username is specified in a given service, the specified username overrides this one.
One some systems the default guest account “nobody” may not be able to print. Use another account in this case. You should test this by trying to log in as your guest user (perhaps by using the su - command) and trying to print using the system print command such as lpr(1) or lp(1).
Default: specified at compile time, usually "nobody"
Preconfigured: samba
Example: guest account = ftp
This parameter is designed to control whether Winbind should allow to login with the pam_winbind module using Cached Credentials. If enabled, winbindd will store user credentials from successful logins encrypted in a local cache.
Default: winbind offline logon = false
Example: winbind offline logon = true
This boolean parameter controls whether smbd(8) will attempt to map UNIX permissions into Windows NT access control lists. The UNIX permissions considered are the the traditional UNIX owner and group permissions, as well as POSIX ACLs set on any files or directories. This parameter was formally a global parameter in releases prior to 2.2.2.
| Restarting the smbd driver will try to remount the shares. Therefor no other processes should access /export and /home. |
Default: nt acl support = yes
This boolean parameter controls whether smbd(8) will allow clients to attempt to store OS/2 style Extended attributes on a share. In order to enable this parameter the underlying filesystem exported by the share must support extended attributes (such as provided on XFS and EXT3 on Linux, with the correct kernel patches). On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel.
| Restarting the smbd driver will try to remount the shares. Therefor no other processes should access /export and /home. |
Default: ea support = no
“Kerberos Parameters” are not used by smb, they are only saved to smb.conf.ads to have a convenient access to all major configuration parameters. krb5.conf is created from those entries. Warnings adhering to the parsing of parameters starting with “krb5” can be safely ignored.
The domain which is configued as default domain into the Realm.
Automatically rebuild krb5.conf from the information configured on this page.
The KDC (key distribution center) of the Realm.
Service account on the Password Server which is used to register machines into the Active Directory.
Default: Administrator
Password of the KRB5 Service Account.
On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(), getgrent() and endgrent() group of system calls. If the winbind enum groups parameter is no, calls to the getgrent() system call will not return any data.
| Turning off group enumeration may cause some programs to behave oddly. |
Default: winbind enum groups = no
On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(), getgrent() and endgrent() group of system calls. If the winbind enum groups parameter is no, calls to the getgrent() system call will not return any data.
| Turning off group enumeration may cause some programs to behave oddly. |
Default: winbind enum groups = no
By default, Samba as a Domain Controller with an LDAP backend needs to use the Unix-style NSS subsystem to access user and group information. Due to the way Unix stores user information in /etc/passwd and /etc/group this inevitably leads to inefficiencies. One important question a user needs to know is the list of groups he is member of. The plain UNIX model involves a complete enumeration of the file /etc/group and its NSS counterparts in LDAP. UNIX has optimized functions to enumerate group membership. Sadly, other functions that are used to deal with user and group attributes lack such optimization.
To make Samba scale well in large environments, the ldapsam:trusted = yes option assumes that the complete user and group database that is relevant to Samba is stored in LDAP with the standard posixAccount/posixGroup attributes. It further assumes that the Samba auxiliary object classes are stored together with the POSIX data in the same LDAP object. If these assumptions are met, ldapsam:trusted = yes can be activated and Samba can completely bypass the NSS system to query user information. Optimized LDAP queries can greatly speed up domain logon and administration tasks. Depending on the size of the LDAP database a factor of 100 or more for common queries is easily achieved.
Default: ldapsam:trusted = no
This option is used by the programs in the Samba suite to determine what naming services to use and in what order to resolve host names to IP addresses. Its main purpose to is to control how netbios name resolution is performed. The option takes a space separated string of name resolution options.
The options are: "lmhosts", "host", "wins" and "bcast". They cause names to be resolved as follows:
The example below will cause the local lmhosts file to be examined first, followed by a broadcast attempt, followed by a normal system hostname lookup.
When Samba is functioning in ADS security mode (security = ads) it is advised to use following settings for name resolve order:
name resolve order = wins bcast
DC lookups will still be done via DNS, but fallbacks to netbios names will not inundate your DNS servers with needless querys for DOMAIN<0x1c> lookups.
Default: name resolve order = lmhosts host wins bcast
Preconfigured: host wins bcast
Example: name resolve order = lmhosts bcast host
When Samba connects to an ldap server that servermay be down or unreachable. To prevent Samba from hanging whilst waiting for the connection this parameter specifies in seconds how long Samba should wait before failing the connect. The default is to only wait fifteen seconds for the ldap server to respond to the connect request.
Default: ldap timeout = 15
This option allows you to override the name of the Samba log file (also known as the debug file). This option takes the standard substitutions, allowing you to have separate log files for each user or machine.
Example: log file = /usr/local/samba/var/log.%m
Preconfigured: log file = /var/log/smblog.ad
| In large installations, using %m has the very undesirable effect of creating a log file for each client. Even though each file is limited in size, the space needed may exceed available memory very fast. |
The value of the parameter (a astring) allows the debug level (logging level) to be specified in the smb.conf file. This parameter has been extended since the 2.2.x series, now it allow to specify the debug level for multiple debug classes. This is to give greater flexibility in the configuration of the system.
The default will be the log level specified on the command line or level zero if none was specified.
Preconfigured: 3
Example: log level = 3 winbind:6
This integer value controls what level Samba advertises itself as for browse elections. The value of this parameter determines whether nmbd(8) has a chance of becoming a local master browser for the WORKGROUP in the local broadcast area.
| By default, Samba will win a local master browsing election over all Microsoft operating systems except a Windows NT 4.0/2000 Domain Controller. This means that a misconfigured Samba host can effectively isolate a subnet for browsing purposes. See BROWSING.txt in the Samba docs/ directory for details. |
Default: os level = 20
Example: os level = 65
Tell nmbd(8) to enable WAN-wide browse list collation. Setting this option causes nmbd to claim a special domain specific NetBIOS name that identifies it as a domain master browser for its given workgroup. Local master browsers in the same workgroup on broadcast-isolated subnets will give this nmbd their local browse lists, and then ask smbd(8) for a complete copy of the browse list for the whole wide area network. Browser clients will then contact their local master browser, and will receive the domain-wide browse list, instead of just the list for their broadcast-isolated subnet.
Note that Windows NT Primary Domain Controllers expect to be able to claim this workgroup specific special NetBIOS name that identifies them as domain master browsers for that workgroup by default (i.e. there is no way to prevent a Windows NT PDC from attempting to do this). This means that if this parameter is set and nmbd claims the special name for a workgroup before a Windows NT PDC is able to do so then cross subnet browsing will behave strangely and may fail.
If domain logons = yes , then the default behavior is to enable the domain master parameter. If domain logons is not enabled (the default setting), then neither will domain master be enabled by default.
Default: domain master = auto
This option allows nmbd(8) to try and become a local master browser on a subnet. If set to false then nmbd will not attempt to become a local master browser on a subnet and will also lose in all browsing elections. By default this value is set to true. Setting this value to true doesn’t mean that Samba will become the local master browser on a subnet, just that nmbd will participate in elections for local master browser.
Setting this value to false will cause nmbd never to become a local master browser.
Default: local master = yes
This boolean parameter controls if nmbd(8) is a preferred master browser for its workgroup.
If this is set to true, on startup, nmbd will force an election, and it will have a slight advantage in winning the election. It is recommended that this parameter is used in conjunction with domain master = yes, so that nmbd can guarantee becoming a domain master.
Use this option with caution, because if there are several hosts (whether Samba servers, Windows 95 or NT) that are preferred master browsers on the same subnet, they will each periodically and continuously attempt to become the local master browser. This will result in unnecessary broadcast traffic and reduced browsing capabilities.
See also os level
Default: preferred master = auto
This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should not set this to true unless you have a multi-subnetted network and you wish a particular nmbd to be your WINS server. Note that you should NEVER set this to true on more than one machine in your network.
Default: wins support = no
This specifies the IP address (or DNS name: IP address for preference) of the WINS server that nmbd(8) should register with. If you have a WINS server on your network then you should set this to the WINS server’s IP.
You should point this at your WINS server if you have a multi-subnetted network.
If you want to work in multiple namespaces, you can give every wins server a ‘tag’. For each tag, only one (working) server will be queried for a name. The tag should be separated from the ip address by a colon.
| You need to set up Samba to point to a WINS server if you have multiple subnets and wish cross-subnet browsing to work correctly. See the chapter in the Samba3-HOWTO on Network Browsing. |
Default: wins server =
Example: wins server = mary:192.9.200.1 fred:192.168.3.199 mary:192.168.2.61 # For this example when querying a certain name, 192.19.200.1 will be asked first and if that doesn't respond 192.168.2.61. If either of those doesn't know the name 192.168.3.199 will be queried.
Example: wins server = 192.9.200.1 192.168.2.61
This is a text field that is seen next to a share when a client does a queries the server, either via the network neighborhood or via net view to list what shares are available. If you want to set the string that is displayed next to the machine name then see the server string parameter.
Default: No comment string
Example: comment = Fred's Files
This parameter specifies a directory to which the user of the service is to be given access. In the case of printable services, this is where print data will spool prior to being submitted to the host for printing. For a printable service offering guest access, the service should be readonly and the path should be world-writeable and have the sticky bit set. This is not mandatory of course, but you probably won’t get the results you expect if you do otherwise.
Any occurrences of %u in the path will be replaced with the UNIX username that the client is using on this connection. Any occurrences of %m will be replaced by the NetBIOS name of the machine they are connecting from. These replacements are very useful for setting up pseudo home directories for users.
| Paths should be subpaths of the /export folder and (in case ACL is used) not be the /exort folder itself. |
Default: none
Example: path = /home/fred
When a file is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise ‘AND’ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a file. Any bit not set here will be removed from the modes set on a file when it is created.
The default value of this parameter removes the group and other write and execute bits from the UNIX modes.
Following this Samba will bit-wise ‘OR’ the UNIX mode created from this parameter with the value of the force create mode parameter which is set to 000 by default.
This parameter does not affect directory masks. See the parameter directory mask for details.
Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the security mask.
Preconfigured: create mask = 777
This parameter is the octal modes which are used when converting DOS modes to UNIX modes when creating UNIX directories.
When a directory is created, the necessary permissions are calculated according to the mapping from DOS modes to UNIX permissions, and the resulting UNIX mode is then bit-wise ‘AND’ed with this parameter. This parameter may be thought of as a bit-wise MASK for the UNIX modes of a directory. Any bit not set here will be removed from the modes set on a directory when it is created.
The default value of this parameter removes the ‘group’ and ‘other’ write bits from the UNIX mode, allowing only the user who owns the directory to modify it.
Following this Samba will bit-wise ‘OR’ the UNIX mode created from this parameter with the value of the force directory mode parameter. This parameter is set to 000 by default (i.e. no extra mode bits are added).
Note that this parameter does not apply to permissions set by Windows NT/2000 ACL editors. If the administrator wishes to enforce a mask on access control lists also, they need to set the directory security mask.
Preconfigured: directory mask = 777
The default behavior in Samba is to provide UNIX-like behavior where only the owner of a file/directory is able to change the permissions on it. However, this behavior is often confusing to DOS/Windows users. Enabling this parameter allows a user who has write access to the file (by whatever means) to modify the permissions (including ACL) on it. Note that a user belonging to the group owning the file will not be allowed to change permissions if the group is only granted read access. Ownership of the file/directory may also be changed.
Preconfigured: dos filemode = yes
If this parameter is set Samba attempts to first read DOS attributes (SYSTEM, HIDDEN, ARCHIVE or READ-ONLY) from a filesystem extended attribute, before mapping DOS attributes to UNIX permission bits (such as occurs with map hidden and map readonly). When set, DOS attributes will be stored onto an extended attribute in the UNIX filesystem, associated with the file or directory. For no other mapping to occur as a fall-back, the parameters map hidden, map system, map archive and map readonly must be set to off. This parameter writes the DOS attributes as a string into the extended attribute named “user.DOSATTRIB”. This extended attribute is explicitly hidden from smbd clients requesting an EA list. On Linux the filesystem must have been mounted with the mount option user_xattr in order for extended attributes to work, also extended attributes must be compiled into the Linux kernel.
Preconfigured: store dos attributes = yes
| You need to set up EA support in the global settings to use this option! |
This boolean parameter controls whether smbd(8) will attempt to map the ‘inherit’ and ‘protected’ access control entry flags stored in Windows ACLs into an extended attribute called user.SAMBA_PAI. This parameter only takes effect if Samba is being run on a platform that supports extended attributes (Linux and IRIX so far) and allows the Windows 2000 ACL editor to correctly use inheritance with the Samba POSIX ACL mapping code.
Preconfigured: map acl inherit = yes
| You need to set up EA and ACL support in the global settings to use this option! |
This controls whether the DOS archive attribute should be mapped to the UNIX owner execute bit. The DOS archive bit is set when a file has been modified since its last backup. One motivation for this option is to keep Samba/your PC from making any file it touches from becoming executable under UNIX. This can be quite annoying for shared source code, documents, etc...
| This requires the create mask parameter to be set such that owner execute bit is not masked out (i.e. it must include 100). See the parameter create mask for details. |
Preconfigured: map archive = no
This controls whether DOS style hidden files should be mapped to the UNIX world execute bit.
| This requires the create mask to be set such that the world execute bit is not masked out (i.e. it must include 001). See the parameter create mask for details. |
Preconfigured: map hidden = no
This controls how the DOS read only attribute should be mapped from a UNIX. This parameter can take three different values, which tell smbd(8) how to display the read only attribute on files, where either store dos attributes is set to No, or no extended attribute is present. If store dos attributes is set to yes then this parameter is ignored. The three settings are :
Preconfigured: map read only = no
This controls whether DOS style system files should be mapped to the UNIX group execute bit.
| This requires the create mask to be set such that the group execute bit is not masked out (i.e. it must include 010). See the parameter create mask for details. |
Preconfigured: map system = no
This parameter can be used to ensure that if default acls exist on parent directories, they are always honored when creating a subdirectory. The default behavior is to use the mode specified when creating the directory. Enabling this option sets the mode to 0777, thus guaranteeing that default directory acls are propagated.
Preconfigured: inherit acls = yes
The ownership of new files and directories is normally governed by effective uid of the connected user. This option allows the Samba administrator to specify that the ownership for new files and directories should be controlled by the ownership of the parent directory.
Common scenarios where this behavior is useful is in implementing drop-boxes where users can create and edit files but not delete them and to ensure that newly create files in a user’s roaming profile directory are actually owner by the user.
Preconfigured: inherit owner = yes
The permissions on new files and directories are normally governed by create mask, directory mask, force create mode and force directory mode but the boolean inherit permissions parameter overrides this.
New directories inherit the mode of the parent directory, including bits such as setgid.
New files inherit their read/write bits from the parent directory. Their execute bits continue to be determined by map archive, map hidden and map system as usual.
Note that the setuid bit is never set via inheritance (the code explicitly prohibits this).
This can be particularly useful on large systems with many users, perhaps several thousand, to allow a single [homes] share to be used flexibly by each user.
Preconfigured: inherit permissions = yes
If this parameter is yes, then users of a service may not create or modify files in the service’s directory.
Preconfigured: read only = no
If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account.
Default: guest ok = no
A synonym for this parameter is allow hosts. This parameter is a comma, space, or tab delimited set of hosts which are permitted to access a service. If specified in the [global] section then it will apply to all services, regardless of whether the individual service has a different setting. You can specify the hosts by name or IP number. For example, you could restrict access to only the hosts on a Class C subnet with something like allow hosts = 150.203.5. . The full syntax of the list is described in the man page hosts_access(5). Note that this man page may not be present on your system, so a brief description will be given here also.
Note that the localhost address 127.0.0.1 will always be allowed access unless specifically denied by a hosts deny option.
You can also specify hosts by network/netmask pairs and by netgroup names if your system supports netgroups. The EXCEPT keyword can also be used to limit a wildcard list. The following examples may provide some help:
| Note that access still requires suitable user-level passwords. |
See also testparm(1) for a way of testing your host access to see if it does what you expect.
Default: none (i.e., all hosts permitted access)
Example: allow hosts = 150.203.5. myhost.mynet.edu.au
The opposite of hosts allow - hosts listed here are NOT permitted access to services unless the specific services have their own lists to override this one. Where the lists conflict, the allow list takes precedence.
Default: none (i.e., no hosts specifically excluded)
Example: hosts deny = 150.203.4. badhost.mynet.edu.au
This is a list of users that should be allowed to login to this service. Names starting with ‘@’, ‘+’ and ‘&’ are interpreted using the same rules as described in the invalid users parameter. If this is empty (the default) then any user can login. If a username is in both this list and the invalid users list then access is denied for that user. The current servicename is substituted for %S . This is useful in the [homes] section.
see also: invalid users
Default: empty - no restrictions
Example 1: Restricting a share to only two specific domain users:
valid users=DOMAIN\dagobert, DOMAIN\Administrator
Example 2: Restricting a share to a special domain group:
valid users=@DOMAIN\NasdriveUser
Hints on domain groups:
This is a list of users that should not be allowed to login to this service. This is really a paranoid check to absolutely ensure an improper setting does not breach your security.
The characters ‘+’ and ‘&’ may be used at the start of the name in either order so the value +&group means check the UNIX group database, followed by the NIS netgroup database, and the value &+group” means check the NIS netgroup database, followed by the UNIX group database (the same as the ‘@’ prefix).
see also: valid users
Default: empty - no invalid users
Example: invalid users = root fred admin @wheel
This controls whether this share is seen in the list of available shares in a net view and in the browse list.
Default: browseable = yes
This parameter lets you “turn off” a service. If available = no, then ALL attempts to connect to the service will fail. Such failures are logged.
Default: available = yes
The Active Directory Samba Configuration is stored into
/etc/cfg_user/smb.conf.ads (non-voltatile, flash-memory) /etc/cfg_user/krb5.conf (non-voltatile, flash-memory) /etc/cfg_user/nsswitch.conf (non-voltatile, flash-memory) /etc/hosts (volatile, updated with network restart) /etc/resolv.conf (volatile, updated with network restart)
Active Directory stores dynamic data into
/var/lib/adsamba and its subdirectories (non-volatile, hard-disk)
After deactivating the AD Plugin, the standard SMB Configuration (stored in /etc/config/smb.conf) applies once more.