Samba hint

Patrick Kirk patrick at
Mon Sep 3 04:35:15 PDT 2001

Hi guys,

I messed up the paths on a few of my first installations and am
gradually putting everything nicely into /usr/local.  Today was samba's
turn and I've a written a hint which I hope you find helpful.
TITLE:          Samba File and Print Server Hint
AUTHOR:         Patrick Kirk <patrick at>


Samba allows your Linux box to perform a number of functions that are
typically the preserve of Windows 2000 Server Edition, for example
acting as a Primary Domain Controller for a Win2k Domain, acting as a
Bachup Domain controller or simply as a file server to share disk space
with Windows PCs in a safe and secure manner.  In all these capacities,
Samba can be expected to save a lot of license fees and be far more
secure than any alternative.

This hint is for setting up samba as a file and print server on amchine
where security is important.  The emphasis is on security for the server
and ease of use for the users.

For example, I use these settings on the machine that shares my ADSL

1. Installation

Samba can be downloaded from  Its default installation
created a directory called samba in /usr/local and tidily puts all its
bits in there.  If like me you like to ne able to backup your system
configuration just by backing up /etc this needs to be changes.  Also,
to save messing around with editing your path, it is worth specifying
the executables go in /usr/local/bin and sbin as appropriate.

As root execute these commands:

cd /usr/src &&
tar xzvf samba*.tar.gz &&
mkdir -p /etc/samba  &&
mkdir -p /var/lock/samba  &&
cd samba-2.2.1a/source &&
./configure --prefix=/usr/local --bindir=/usr/local/bin \
--sbindir=/usr/local/sbin --libdir=/etc/samba --sysconfdir=/etc/samba &&
make \
&& make install

2. Setting up sharing

In /etc/samba create a file called smb.conf and paste the following in:

        workgroup = KIRKS.NET   # Put your own in here.
        netbios name = ENTERPRISE       # The hostname for your machine
        server string = %h server (Samba %v)
        encrypt passwords = Yes
        smb passwd file = /etc/samba/sambapasswd        #Make backups
        syslog = 0      #Level of logging to syslog.  Keep this low
        max log size = 1000
        log file = /var/log/samba/samba.log.%m # where to keep records
        log level = 2   #Log interesting stuff only
        # Performance tuning - this works.  RTFM before tweaking
        socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
        dns proxy = No          #One tool for one job.  Use bind for
        #These  entries are essential.
        invalid users = root    
        #Otherwise someone could attack the shares just by browsing from
your workstation
        # Specify the IP range of your LAN and the ethernet card used to
        # access the LAN
        # Leave the entry there for diagnostics
        interfaces = eth0 
        # Even if a remote attacker decodes a password, he is still
        # locked out 
        bind interfaces only = yes

        # Allows users to store their data on the server
        comment = Home Directories
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = Yes
        # Create a folder for publicly shared resources like 
        # databases, telephone lists, etc.
        comment = Data Files and Backups
        #You need to set a path to the shared folder.  In my case...
        path = /home/data
        read only = No
        create mask = 0775
        directory mask = 0775
        browseable = Yes

        # Copy the i386 folder from the Win2k CD here. 
        # Saves lots of time installing new drivers! 
        # Any other other CDs you use a lot.
        comment = System and Installation Files
        #You need to set a path to the shared folder.  In my case...
        path = /home/system
        read only = No
        create mask = 0775
        directory mask = 0775
        browseable = Yes

        comment = All Printers
        path = /tmp
        create mask = 0700
        printable = Yes
        browseable = No

# End of file

3. Setting up Users
smbclient -a john adds john and prompts you for john's password.  Unless
you have lots of users, repeat this for each.  If you have too many for
this to be practical, configure SWAT which allows you to manage users
and groups from a remote web-browser.  SWAT is very easy to use but if
you need to use it there is detailed documentation including an O'Reilly
book in html format on

4. Setting up Client Machines

Windows 2000 machines will now just work if the username on the machine
is the same as the account name you set up on the samba server.  If not
the same, then map network drives and take the option use the drive
under the name and password you set up on the server.

You might consider creating a batch file called login.bat in the startup
group of client boxes that goes as follows:

net use h: \\\homes /persistent:no

net use i: \\\data /persistent:no

net use j: \\\system /persistent:no

5. Starting samba
Create a file in /etc/init.d called samba and paste the following in:

# Begin /etc/init.d/samba

# Include the functions declared in the /etc/init.d/functions file

source /etc/init.d/functions

case "$1" in
                echo -n "Starting Samba daemon..."
                loadproc /usr/local/sbin/nmbd

                echo -n "...Samba daemon started!"
                loadproc /usr/local/sbin/smbd

                echo -n "Stopping Samba daemon!"
                killproc smbd

                echo -n "...Samba daemon stopped."
                killproc nmbd

        echo -n "Reloading Samba daemon configuration file..."
                reloadproc smbd
                ireloadproc nmbd

                $0 stop
                /usr/bin/sleep 1
                $0 start

                statusproc /usr/local/sbin/nmbd
                statusproc /usr/local/sbin/smbd

                echo "Usage: $0 {start|stop|reload|restart|status}"
                exit 1


# End /etc/init.d/samba

To start samba, simply enter /etc/init.d/samba start

To have samba start every time your machine starts, run the following

chmod 754 /etc/init.d/samba &&

ln -s  ../init.d/samba /etc/rc0.d/K400samba &&

ln -s  ../init.d/samba /etc/rc1.d/K400samba &&

ln -s  ../init.d/samba /etc/rc2.d/K400samba &&

ln -s  ../init.d/samba /etc/rc3.d/S600samba &&

ln -s  ../init.d/samba /etc/rc4.d/S600samba &&

ln -s  ../init.d/samba /etc/rc5.d/S600samba &&

ln -s  ../init.d/samba /etc/rc6.d/K400samba

6. The end
Congratulations.  You now have a fileserver set up that is safe, stable
and secure.

More information about the hints mailing list