• Home
• TheWeb
• Linux
• Microsoft
• SiteMap
• OpenSource
• Musings
• Recipes

Introduction: The Official Samba-3 HowTo and Reference Guide has about 1000 pages and the section on the man pages for the Samba config file takes up some 160 pages. So it would be no surprise that there are many possibilities for configuring file sharing on a SOHO LAN. If you want to configure a share successfully you must accommodate all factors tied up in transferring information between workstations with the SMB protocol, chief among them being:

• Name resolution for browsing workstations and shares
• Authority for connecting to a server and its shares
• File structure permissions on the shared folded
• Security controls available within Samba

This article superficially covers these factors in a layout that runs from low security shares suitable for the home LAN through to secure shares adequate for small business and other sensitive information.

Things to Know

Samba's Configuration File is a text file located at /etc/samba/smb.conf. It's made up of paragraphs of parameter values controlling global behaviour plus one paragraph for each classically shared resource (printers, folders). All of the GUI devices to create and modify shares are no more that fancy text editors.

Classical Shares and Usershares: There are two classes of Samba shares, Classical shares and Usershares. Classical shares have tailored security and are created by root. The configurations for classical shares are set out in separate paragraphs, one for each share, in smb.conf, the main configuration file. The configurations for usershares are set out in separate text files, one for each share, in a special folder located in openSUSE at /var/lib/samba/usershares. It's important to lock into mind that the rules and procedures are different for Usershares and classical shares. If you don't mentally acknowledge this you will be confused as you read this article.

Security Levels: The security options for a workgroup of mixed Windows and Linux workstations are share level security and user level security. At it's simplest, share level security originally catered for Windows 95, Me and 98. Share level became superfluous in Linux with the introduction of Usershares into Samba v3.0.23 which appeared in v10.2 of openSUSE for the first time. The attractive on-the-fly, non-root user sharing of folders that Windows offers at share-level is now fully available in Linux at user-level security through usershares. Share level is now an anachronism and it won't be discussed further here.

Text Editor Tips: You can open the file smb.conf in a KDE text editor with this command in your non-root terminal:

Or if you prefer Gnome, use this:

Alternatively, you can open the superuser file manger from the KDE or Gnome menu. Then you navigate to to /etc/samba/. Finally, right click on smb.conf and select Kwrite, Gedit or Kate as you prefer.

Tweaking the Default Configuration File: The first paragraph of the config file (smb.conf) contains global parameters and it looks like this in openSUSE 10.2,3:

And here are some important implicit parameter specifications that are included by default, although you can't explicitly see them:

Tweaks: Of course TUX-NET needs to be changed to your workgroup name. Security is set to share-level and the password backend is the deprecated smbpasswd. Samba devs recommend to use the database form of backend, tdbsam, but I won't press that here. NetBIOS name resolution is installed at only a very basic level and I strongly recommend bolstering that by installing at least a Local Master Browser, LMB. The LMB and other name resolution alternatives are discussed in my tutorial on configuring stable network browsing. Finally Usershares are disabled in the default install. If you want to use them you must add additional parameters. Here is my recommended tweaked [global] configuration:

Regarding the last four uncommented lines: This segment of four lines creates the LMB. You can have only one LMB per workgroup. For additional Suse machines, where the LMB has the four settings No, Yes, Yes and 65, the settings for the other machines would be domain master = no, local master = no, preferred master = no, and os level = 0.

Regarding the 3 lines for on-the-fly usershares. If you're not installing usershares then leave them out. New Linux users would generally be installing usershares only if they were using Gnome and creating shares with a R-click in Nautilus. So lets be clear. They're for Gnome/Nautilus users (plus of course advanced Linux command line users).

I recommend editing/tweaking smb.conf with a text editor. GUI devices like the ones available in Konqueror and Yast are really touchy and dangerous in a new user's hands. The results can be disastrous if you don't know exactly what you're doing. Just the act of looking into some options in Yast can install unwanted parameters. If you do use a GUI editor then you should examine your final [global] configuration against my recommended configuration above. When you've finished editing smb.conf it's also a very good idea to run testparm and read the output carefully. You enter this in a non-root terminal to run testparm:

Testparm certainly doesn't guarantee success or reveal subtle conflicts/errors.

Sharing to Anonymous Guests: These shares (reminiscent of Windows 9x/Me) are the least secure shares possible. They can be used to share non-private data and can easily be switched on and off as required. You can construct them two ways - as classical shares using Konqueror or as the newer usershares using Nautilus. Incidentally, there's a pictorial HowTo set up Konqueror for Samba shares at the end of this page. To illustrate the creation of these shares, imagine a folder called sharefolder, located at /home/username/sharefolder, in the home territory of a Linux user named username.

KDE & Konqueror: On-The-Fly Sharing Utility

KDE has a right-click gui that allows on-the-fly creation of a classical share from folder sharefolder. Simply R-click on sharefolder when viewing it in Konqueror file manager, select "share" and enable the share as illustrated in the two pics on the left.

NOTE that if you don't get the option to "share" when you R-click the folder sharefolder, then Konqueror still needs to be configured for on-the-fly sharing. I show how to do that in Appendix II below.

The top plate shows settings for a read-only share and the bottom plate shows settings for a read-write share.

The left side of each plate shows the settings that appear when the "share" tab is activated and I have added in on the right hand side of each the settings that appear when the "permissions" tab is activated.

The access that is sought and given is for an unauthenticated guest. Guests fit into the permissions scenario as "Others" on the GUI. So for a writeable share (the second pic) you have to set the permission for "Others" to "Can View and Modify Content".

Your Desktop: I've done this research in openSUSE 10.2 and 10.3a. For both of those the premissions for the folder /home/username/Desktop are drwx------, i.e. members of the group users other than the owner and all others (e.g. guests) are forbidden. This prevents you from making classical Samba shares on a desktop with Konqueror, unless you venture further into the GUI with the button More Samba Options. Avoid that button if you are not a practised Samba administrator.

The KDE-Konqueror facility creates a "classical" share that writes its configuration to a paragraph in the samba config file at /etc/samba/smb.conf. The entry in smb.conf for the read-only share, corresponding to the read-only, top picture is:

The entry in smb.conf for the read-write share, corresponding to the read-write, bottom picture is:

If you do not have KDE-Konqueror you could create either of these forms of classical share by directly editing these entries into smb.conf with a text editor.

Gnome & Nautilus: On-The-Fly Sharing Utility

Nautilus has a right-click GUI that allows on-the-fly creation of a usershare for a folder. [If you receive error messages regarding usershares or a missing directory while creating a share, you may not have set up prerequsites properly. See appendix III for those.] Once again use sharefolder as the example. Simply R-click on sharefolder when viewing it in Nautilus file manager, select "Sharing options" and enable the share as on the following pics:

The pictures speak for themselves. You don't have to change the default permissions/access controls on the folder sharefolder for the read-write case as you do for a classical share using Konqueror. Usershares have their access controls set in the share configuration file that is written in /var/lib/samba/usershare.

FYI, here is the config file for a read-only usershare:

FYI, here is the config file for a read-write usershare:

They differ by only one letter. The files are located at /var/lib/samba/usershares

Sharing to authentic users: We now address the generalised, classical, stand-alone, read-write Samba share. It's to be accessible to authentic samba users only. Usage of some utilities to list Samba users and to add/delete them in the Samba User database is illustrated in the Appendix. Imagine you are sharing the folder sharefolder and you want it to appear in Network Browsers as ShareName. In this case the share is administered by root, so you locate it wherever is convenient, say at /path/sharefolder. The policy is to use the samba force parameters, force group and force user, to assign access controls to the Samba user and mimic the real owner of the shared folder. So make a_real_username the owner of the folder and edit the parameter values below into the share's definition in smb.conf - here's the definition for a read-write share:

FYI: There are other ways to define read-write shares - a source of some discussion on the internet. I'm a bit of a pragmatist and I use the share structure above because it's secure and it works very well for me.

These shares can't be accessed by a non-authentic user. Depending on the precise setup, access flows either to a machine having a valid Samba user logged on or to a user who authenticates in a logon session. If you want the share to be read-only you comment out out or remove the line read only = no.

You can further restrict access by limiting valid users via Samba's valid users parameter. For example add this line to the definition of a share if you want only Ethel or George to have access to the share:

And equally useful is this pair of lines to limit the host machines allowed to connect:

That's all folks, except for appendices.

APPENDIX I: Administering the Samba User Database

User Administration: Here are a few recipes using the utilities smbpasswd and pdbedit to administer user accounts. Pdbedit does many things but I only use it in the standalone-server context to list Samba users when I forget who they are, like so - terminal session:

This shows me that the Linux host (called hostname) has three samba users: papa, ethel and timothy with uid's respectively of 1000, 1001, 1002 (the rest of each line is encrypted, I think). You will be unable to add a Samba user who is not already a valid user in Suse's user database.

To add a Samba user or to change the user's password - terminal session:

To delete a Samba user - terminal session:

APPENDIX II: Configuring Konqueror for On-The-Fly Classical Samba Shares

This appendix is necessary to skip around a quirk - bug is too strong a word -, a quirk in Konqueror's File Sharing facility. If you right click on a folder being viewed in Konqueror, intending to create a share and you don't see the option Share as the bottom option on the drop-down list, then reconfigure the File Sharing facility. Open Personal Settings in the KDE menu: Personal Settings --> Internet & Network --> File Sharing --> Administrator Mode. The next Pic is my adaptation of the GUI that opens up:

Enable local network sharing, advanced sharing and to use Samba (MS Windows). NFS is not part of Samba and is optional if you know what you're doing. Then activate the Allowed Users button. Then you select the option only users of certain groups are allowed to share folders (See Pic).

Now click "choose group". The following panel opens up:

Use the drop-down box to select the group users, make sure none of the options (Add, Remove or Delete) are selected, and then click OK.

A new panel with two options at the top opens up. The second option (only users of the group "users" are allowed to share folders) will be selected:

Simply change the option to the top option (Allow all users to share folders) and click OK.

At this stage you should be able to return to the Konqueror file browser and share folders with a right click.

APPENDIX III: Enabling On-The-Fly Samba Usershares for use in Nautilus

I found that full usershare functionality sometimes isn't installed by default in openSUSE. I think it depends on the install media, CDs, DVD or Internet. Anyway, here are the prerequisites you can check yourself. As I mentioned earlier, you need these lines in the [global] section of the Samba configuration file (smb.conf):

Alternatively you can browse to /var/lib/samba in a superuser file manager and create the folder in a GUI. Here's a screenshot:

Take it easy.

Swerdna: 28 February 2007

• Home
• TheWeb
• Linux
• Microsoft
• SiteMap
• OpenSource
• Musings
• Recipes