3.2 Setting Up Workgroups and Shares (Access Points)

Users need to be able to access the Samba server in My Network Places and Windows Explorer just as they would a Windows server. This means that the server needs to be assigned to a workgroup and it needs to publish Windows shares (access points) that are visible to users.

By default, the Samba server is assigned to the workgroup workgroup and publishes certain preconfigured shares. However, these defaults are insufficient for many Samba installations. For example, the users share as it is defined by default provides access by authenticated users to all the home directories on a traditional Linux volume.

You can customize your workgroup and share configurations by modifying the /etc/samba/smb.conf file as explained in the following sections:

3.2.1 Providing Private Home Directory Access

Use the information in Table 3-1 and a text editor, such as Kate or VI, to provide access for your network users to only their individual Home directories.

For additional information about the smb.conf file, see The smb.conf Configuration File.

Table 3-1 Customizing the /etc/samba/smb.conf file for Home Directory Access Only

Section

Entry Name

Description

Recommended Action

[global]

workgroup =

Specifies the Windows workgroup that the Samba server either joins (if it exists) or effectively creates (if the name is new).

The Samba installation sets the value of this parameter to workgroup, which is the default setting for all Windows 2000 and Windows XP workstations. As a result the “workgroup” workgroup can contain hundreds of workstations and servers, rendering it unusable.

  1. Replace the value with a name for the workgroup that you want users to see when they browse in Network Neighborhood.

    For example, change the entry to read workgroup = our_workgroup.

[homes]

 

This sets up a share named homes.

The primary purpose of this standard Samba share is to expose only the home directories of your Samba users.

The parameters in this section provide private access to home directories, which is the expectation of most network administrators.

  1. To learn more about the parameters in this and other sections, search the Web for information about the smb.conf file.

 

path =

This parameter is not needed if user Home directories are contained in /home on the server because the path for this share defaults to /home/%S—the Home directory of the logged in user.

If you want to provide home directories on an NSS/NCP volume, be sure to review the information in Section B.3, Home Directories and Samba.

  1. To provide access to home directories in a non-standard (other than /home/%S) location, specify the full path from the root of the file system.

    For example, if the server has an NSS volume, and the home directories are stored on it, you can provide Samba access by including a path statement such as, path = /media/nss/HOME2/%S where HOME2 is the mount point of the NSS volume.

  2. Be sure to end the path with /%S. Otherwise, all the Home directories will be visible to each Samba user.

[all other share names]

 

These set up various other shares that are not needed for private home directory access. In fact, the [users] share actually makes all the home directories visible to every Samba user.

  1. To preserve file contents for future reference while also removing these shares, comment out each line of the rest of the file, by inserting a pound sign (#) at the beginning of each line.

    Otherwise, delete these lines.

3.2.2 Creating a New Share: An NSS/NCP Example

You can create shares with unique names, such as volumes that users are familiar with, and provide access to them.

For example, if your Samba users keep their work files in an NSS volume named PROJECTS, you could create a share to the /media/nss/PROJECTS directory as follows:

  1. Open the /etc/samba/smb.conf file in an editor.

  2. Create a [projects] share in the smb.conf file by inserting the following lines:

    [projects]

    comment = Project folders

    path = /media/nss/PROJECTS

    browseable = Yes

    read only = No

    inherit acls = Yes

  3. Save the file and restart Samba as directed in Section 3.2.4, Restarting Samba to Implement the Changes.

  4. Create folders for each project.

    For example, you could create folders named wheel and lever.

  5. Assign trustees to the projects using the ncpcon > rights command.

    For example, if you want user1 to have full rights to wheel but only read and filescan rights to lever, and you want user2 to have full rights to lever but only read and filescan to wheel, you could assign the rights using the following commands:

    ncpcon

    rights add projects:wheel user1.full.edir.context all

    rights add projects:wheel user2.full.edir.context rf

    rights add projects:lever user2.full.edir.context all

    rights add projects:lever user1.full.edir.context rf

Because Samba access to NSS volumes is controlled by NCP trustee rights, user1 and user2 can now work in their respective project folders, and they can see but not change the contents of the project folder belonging to their coworker.

Adjusting POSIX permissions is not required.

NOTE:The rights command in the ncpcon utility is for working with any NCP volume, including volumes defined on traditional Linux file systems.

For information about the ncpcon rights command, run ncpcon and enter help rights.

The rights command available at the shell prompt is for working with NSS volumes only.

For information on using the rights utility at the shell prompt, enter rights.

3.2.3 Creating a Share for Group Access: A POSIX Example

You can create shares for groups to use.

For example, if you have a group of Samba users who want to collaborate regarding usability ideas, you could create a usability folder and grant access to it as follows:

  1. Create a folder named usability in /usr.

  2. Create a [usability] share in the smb.conf file by inserting the following lines:

    [usability]

    comment = Usability Ideas

    path = /usr/usability

    browseable = Yes

    read only = No

    inherit acls = Yes

  3. Save the file and restart Samba as directed in Section 3.2.4, Restarting Samba to Implement the Changes.

  4. Create a LUM-enabled group and assign the Samba users to it. For example, create a group called usetest.

  5. Change the group owner of the /usr/usability folder to usetest and grant the usetest group read, write and execute rights by entering the following at a shell prompt:

    chown -R :usetest /usr/usability

    chmod -R 775 /usr/usability

    For more information on creating group work directories, see Providing a Group Work Area in the Novell OES SP2 Planning and Implementation Guide.

The users would then be able to collaborate with each other in the /usr/usability folder.

3.2.4 Restarting Samba to Implement the Changes

You must restart Samba for the changes you have made in the configuration file to take effect. Complete the following steps:

  1. Save the smb.conf file.

  2. Enter the following command:

    /etc/init.d/smb restart

After preparing the Samba environment for your network users, you need to inform them about their access options. Continue with Section 4.0, Samba User Tasks.