8.5 Typical Samba Configuration Scenarios

Samba configurations can be as simple or as complex as you need them to be. This section contains some basic guidelines and examples for using the Samba Management plug-in for iManager and other tools to set up Samba access in an OES environment.

8.5.1 Setting Up a Workgroup and Shares (Access Points)

Users need to be able to access the Samba server in My Network Places and Windows Explorer just as they would a Windows server. This means that the server needs to be assigned to a workgroup and it needs to publish Windows shares (access points) that are visible to users.

The Importance of Changing the Default Workgroup Setting

When users browse the network from Windows workstations, they can typically see only the Windows workstations and servers in the same workgroup. Because WORKGROUP is the default workgroup name for all Windows 2000 and Windows XP workstations in an OES network, the WORKGROUP workgroup can contain hundreds of workstations and servers, rendering it nearly unusable.

For instructions on how to change the workgroup setting for your Samba server, see Section B.2.1, Changing the Workgroup Name.

Types of Samba Shares

By default, the Samba server publishes certain preconfigured shares. However, these defaults are insufficient for many Samba installations. For example, the users share, as it is defined by default, provides access by authenticated users to all the home directories on a traditional Linux volume.

Before your users can access Samba services, they must have rights to one or more work directories on the Samba server. There are various kinds of work areas: private, shared by a group, or publicly available. Home directories are usually private, whereas collaboration directories are shared by a group.

The following sections provide guidelines for customizing the default share configurations and setting up shares for private and group access.

8.5.2 Creating Private Home Directories for Samba Users

If you have previously administered Samba servers outside of an OES context, you might expect that user home directories are automatically created the first time a user logs in to the Samba server.

This is not the case in OES because Samba is not a PAM-enabled service. (See OES Services That Require LUM-Enabled Access in the OES 11 SP2: Planning and Implementation Guide.) Therefore, if you plan to provide Samba users with home directories, you must determine an alternate method for creating them.

Types of Volumes for Home Directories

On an OES server, there are three basic types of volumes you can use for creating home directories:

  • Traditional Linux volumes (/home)

  • Traditional Linux volumes that are also configured as NCP volumes

  • NSS volumes (which are also NCP volumes by definition)

Table 8-1 summarizes the Samba accessibility to home directories for each volume type:

Table 8-1 Home Directory Accessibility by Volume Type

Volume Type

Creation Method

Access Control

Initial Accessibility

Notes and Caveats

Traditional Linux

Log in as the user to a PAM-enabled service (Samba is not PAM-enabled. Therefore, logging in to Samba doesn’t create home directories, as explained in Section A.5, Home Directory Creation Is Not Automatic.)

POSIX file attributes

  • Visible - all home directories can be seen by an authenticated user.

  • Browseable - the content of all home directories is browseable.

  • Modifiable - owners can modify the content of their own home directories. Group and Other users can’t modify the content of directories they don’t own.

To make the contents of home (and other) directories private (non-browseable), use chmod to change the file attributes so that only the owner has rights. For instructions, see Providing a Private Work Directory in the OES 11 SP2: Planning and Implementation Guide.

Alternatively, you can modify the [homes] share in the smb.conf file as explained in Section 8.5.3, Creating Home Directories on Traditional Linux Volumes. Following these instructions hides the home directories in Samba because users see only their home directory contents and not the home directory itself.

NCP on Traditional Linux

iManager at user-creation time

POSIX file attributes

  • Visible - all home directories can be seen by an authenticated user.

  • Browseable - initially no users can see directory contents. This is because the users are not the directory owners from a POSIX perspective. See the additional explanation in the next column.

  • Modifiable - initially the user can’t modify directory contents because the user is not the directory owner from a POSIX perspective. See the additional explanation in the next column.

To make these home directories browseable and modifiable for the directory owner, you must use chown to change the POSIX owner from the eDirectory Admin user to the actual user. For instructions, see Section 8.5.4, Creating Home Directories Using iManager.

After changing POSIX directory ownership, other users are still not able to browse or modify directory contents because iManager assigns no POSIX Group or Other file attributes when it creates the directory.

 

Log in as the user to a PAM-enabled service (Samba is not PAM-enabled. Therefore, logging in to Samba doesn’t create home directories, as explained in Section A.5, Home Directory Creation Is Not Automatic.

POSIX file attributes

  • Visible - all home directories can be seen by an authenticated user.

  • Browseable - the content of all home directories is browseable.

  • Modifiable - owners can modify the content of their own home directories. Group and Other users can’t modify the content of directories they don’t own.

To make the contents of these home directories private (non-browseable), use chmod to change the file attributes so that only the owner has rights.

For more information, see Providing a Private Work Directory in the OES 11 SP2: Planning and Implementation Guide

NSS

iManager at user-creation time

NCP trustee assignments in combination with NSS directory and file attributes

  • Visible - only the user’s home directory

  • Browseable - only the user’s home directory

  • Modifiable - only the user’s home directory

NSS displays its directory and file attributes as POSIX permissions for compatibility with services that require them, such as Samba. However, the underlying access for Samba users is controlled by NSS.

For more information, see Understanding File System Access Control Using Trustees in the OES 11 SP2: File Systems Management Guide.

Methods for Creating Home Directories

There are several methods for creating home directories on traditional Linux volumes. See Section 8.5.3, Creating Home Directories on Traditional Linux Volumes.

You can create home directories on NSS/NCP volumes automatically when you create Samba users in eDirectory. See Section 8.5.4, Creating Home Directories Using iManager.

8.5.3 Creating Home Directories on Traditional Linux Volumes

On traditional Linux volumes, you should create home directories after the users are enabled for Linux access (LUM) and Samba. This will ensure that the required access rights are automatically assigned. In order to grant a user access to Samba shares on a POSIX file system, the user must be a member of a LUM-enabled group.

Logging In to Create Home Directories

Home directories are automatically created and appropriate file access rights are automatically assigned the first time an eDirectory user who is enabled for Linux access (LUM) logs in to the OES server using PAM-enabled services, such as login, ssh, ftp, or a telnet connection. For more information, see OES Services That Require LUM-Enabled Access in the OES 11 SP2: Planning and Implementation Guide.

The simplest approach for many network administrators is to log in to the OES server as the root user and use the su command at the shell prompt to create a home directory for each user, as follows:

su username exit

where username is the login name of the user for which the home directory is being created.

Alternatively, if your users access the OES server using a PAM-enabled service, you could have them log in to the server to create their own home directories.

Editing the [homes] Share in the smb.conf File

Use the information in Table 8-2 and a text editor, such as gedit or vi, to provide access for your network users to only their individual home directories.

For additional information about the smb.conf file, see The smb.conf Configuration File.

Table 8-2 Customizing the /etc/samba/smb.conf file for Home Directory Access Only

Section

Entry Name

Description

Recommended Action

[homes]

This sets up a share named homes.

The primary purpose of this standard Samba share is to expose only the home directories of your Samba users.

The parameters in this section provide private access to home directories, which is the expectation of most network administrators.

  1. To learn more about the parameters in this and other sections, search the Web for information about the smb.conf file.

 

path =

This parameter is not needed if user Home directories are contained in /home on the server because the path for this share defaults to /home/%S—the Home directory of the logged in user.

  1. To provide access to home directories in a non-standard (other than /home/%S) location, specify the full path from the root of the file system.

  2. Be sure to end the path with /%S. Otherwise, all the Home directories will be visible to each Samba user.

[all other share names]

 

These set up various other shares that are not needed for private home directory access. In fact, the [users] share actually makes all the home directories visible to every Samba user.

  1. To preserve file contents for future reference while also removing these shares, comment out each line of the rest of the file, by inserting a pound sign (#) at the beginning of each line.

    Otherwise, delete these lines.

You must restart Samba for the changes you have made in the configuration file to take effect. Complete the following steps:

  1. Save the smb.conf file.

  2. Enter the following command at a terminal prompt:

    /etc/init.d/smb restart

Using Linux User Management Commands to Create Home Directories

You can use either the namuseradd or namusermod command with the -m option to create home directories, as documented in Using Command Line Utilities to Manage Users and Groups in the OES 11 SP2: Novell Linux User Management Administration Guide.

8.5.4 Creating Home Directories Using iManager

If you plan to create home directories for eDirectory users on an NSS/NCP volume (the volume must exist and be mounted), and you have the NCP server installed and running (the OES default), you can create user home directories in iManager at the same time you create the user objects. (iManager cannot create home directories on traditional Linux volumes that are not also NCP volumes.)

There is one important caveat: directories created using this method are owned from a POSIX perspective by the eDirectory user who creates the user. It is important to understand the implications of this caveat:

  • For NSS volumes, POSIX ownership has no bearing on Samba access to NSS volumes because NSS controls access based on the Novell trustee model.

  • For NCP volumes on Linux POSIX file systems, POSIX ownership is an issue for Samba access when the NCP volume is defined on a Linux POSIX file system. Because access to Linux POSIX file systems is controlled through POSIX, users cannot access their own home directories until ownership is changed.

    You can reassign directory ownership after the user is enabled for Samba by using the chown command.

    For example, to change ownership of the /home/user1 directory from the Admin user to user1, you would enter

    chown -R user1: /home/user1

    The -R option applies the operation recursively to all subdirectories and files.

When assigning trustee rights for access to Samba shares on NSS volumes, it is often easier to grant trustee rights to groups rather than to individual users. Keep in mind that a Samba user only needs to be a member of one LUM-enabled group. If you use the Samba Management plug-in for iManager, users are automatically made members of the default Samba users group, which is LUM-enabled. It is not necessary to LUM-enable other groups that are created solely for the purpose of granting trustee rights to the NSS file system.

8.5.5 Creating a Share for Group Access: NSS/NCP Example

You can create shares with unique names, such as volumes that users are familiar with, and provide access to them.

For example, if your Samba users keep their work files on an NSS volume named PROJECTS, you could create a share to the /media/nss/PROJECTS directory.

  1. In iManager, select File Protocols > Samba and select your Samba server.

  2. Click the Shares tab and select New.

  3. Specify the following information to create the new share:

    • Share Name: projects

    • Path: /media/nss/PROJECTS

    • Comment: Project folders

    • Read-Only: No

    • Inherit ACLs: Yes

    Click OK.

  4. Using iManager > Files and Folders, create folders for each project and assign trustee rights.

    For example, you could create folders named wheel and lever and assign the following trustee rights:

    • For projects:wheel, assign user1 all rights and user2 Read and File Scan rights.

    • For projects:lever, assign user2 all rights and user1 Read and File Scan rights.

      Because Samba access to NSS volumes is controlled by NCP trustee rights, user1 and user2 can now work in their respective project folders, and they can see but not change the contents of the project folder belonging to their coworker. Adjusting POSIX permissions is not required.

NOTE:You can also assign trustee rights from the command line. The rights command available at the terminal prompt is for working with NSS volumes only. For information on using the rights utility at the shell prompt, enter rights.

The rights command in the ncpcon utility is for working with any NCP volume, including NCP volumes defined on Linux POSIX file systems. For information about the ncpcon rights command, run ncpcon and enter help rights.

8.5.6 Creating a Share for Group Access: POSIX Example

You can create shares for groups to use.

For example, if you have a group of Samba users who want to collaborate regarding usability ideas, you could create a usability folder and grant access to it by using Linux commands.

This example shows how to create a share by editing the smb.conf file.

  1. Create a folder named usability in /usr.

  2. Create a [usability] share in the smb.conf file by inserting the following lines:

    [usability]

    comment = Usability Ideas

    path = /usr/usability

    browseable = Yes

    read only = No

    inherit acls = Yes

  3. Save the smb.conf file.

  4. Restart Samba by entering the following command at the terminal prompt:

    /etc/init.d/smb restart

  5. Create a LUM-enabled group and assign the Samba users to it. For example, create a group called usetest.

  6. Change the group owner of the /usr/usability folder to usetest and grant the usetest group read, write and execute rights by entering the following at a terminal prompt:

    chown -R :usetest /usr/usability

    chmod -R 775 /usr/usability

    The users would then be able to collaborate with each other in the /usr/usability folder.

For more information on creating group work directories, see Providing a Group Work Area in the OES 11 SP2: Planning and Implementation Guide.

8.5.7 Aligning Samba and Novell Client Access

If you plan to have users access files and directories through both Samba and the Novell Client software, be sure to read Aligning NCP and POSIX File Access Rights in the OES 11 SP2: Planning and Implementation Guide and follow the directions there.