samba hint

Patrick Kirk patrick at
Wed Mar 6 02:16:24 PST 2002

On Sat, 2001-12-15 at 02:32, Ian Chilton wrote:
> Hello,
> > Ian, would you mind adding this to the SAMBA hint?
> Best thing would be for you as the author to revise the hint and drop
> the whole new file as an attachment to hints at

Gosh I work fast!  Only 3 months to add 2 words.

Best regards,

Patrick Kirk
Senior Consultant
Enterprise High Reliability
-------------- next part --------------
TITLE:        Samba File and Print Server Hint
AUTHOR:        Patrick Kirk < patrick at >


Samba allows your Linux box to perform a number of functions that are
typically the preserve of Windows 2000 Server Edition, for example
acting as a Primary Domain Controller for a Win2k Domain, acting as a
Backup Domain controller or simply as a file server to share disk space
with Windows PCs in a safe and secure manner.  In all these capacities,
Samba can be expected to save a lot of license fees and be far more
secure than any alternative.

This hint is for setting up samba as a file and print server on machine
where security is important.  The emphasis is on security for the server
and ease of use for the users.  For example, I use these settings on the
machine that shares my ADSL connection.  

1. Installation

Samba can be downloaded from  Its default installation
created a directory called samba in /usr/local and tidily puts all its
bits in there.  If like me you like to ne able to backup your system
configuration just by backing up /etc this needs to be changes.  Also,
to save messing around with editing your path, it is worth specifying
the executables go in /usr/local/bin and sbin as appropriate.

As root execute these commands:

cd /usr/src &&
tar xzvf samba*.tar.gz &&
mkdir -p /etc/samba  &&
mkdir -p /var/lock/samba  &&
cd samba-2.2.1a/source &&
./configure --prefix=/usr/local --bindir=/usr/local/bin \
--sbindir=/usr/local/sbin --libdir=/etc/samba --sysconfdir=/etc/samba \
--with-smbmount && make && make install 

2. Setting up sharing

In /etc/samba create a file called smb.conf and paste the following in:

    workgroup = KIRKS.NET    # Put your own in here.
    netbios name = ENTERPRISE    # The hostname for your machine
    server string = %h server (Samba %v)
    encrypt passwords = Yes
    smb passwd file = /etc/samba/sambapasswd    #Easier backups
    syslog = 0    #Level of logging to syslog.  Keep this low
    max log size = 1000
    log file = /var/log/samba/samba.log.%m # where to keep records
    log level = 2    #Log interesting stuff only
    # Performance tuning - this works.  RTFM before tweaking
    socket options = IPTOS_LOWDELAY \ 
    dns proxy = No    #One tool for one job.  Use bind for DNS.
    #These  entries are essential.
    invalid users = root    
    #Otherwise someone could attack the shares just by browsing 
     # from your workstation
    # Specify the IP range of your LAN and the ethernet card used to
    # access the LAN
    # Leave the entry there for diagnostics
    interfaces = eth0 
    # Even if a remote attacker decodes a password, he is still
    # locked out 
    bind interfaces only = yes

    # Allows users to store their data on the server
    comment = Home Directories
    read only = No
    create mask = 0700
    directory mask = 0700
    browseable = Yes
    # Create a folder for publicly shared resources like 
    # databases, telephone lists, etc.
        comment = Data Files and Backups
    # You need to set his path.  Mine is...
        path = /home/data
        read only = No
        create mask = 0775
        directory mask = 0775
        browseable = Yes

    # Copy the i386 folder from the Win2k CD here. 
    # Saves lots of time installing new drivers! 
    # Any other other CDs you use a lot.
        comment = System and Installation Files
    # You need to set his path.  Mine is...
        path = /home/system
        read only = No
        create mask = 0775
        directory mask = 0775
        browseable = Yes

        comment = All Printers
        path = /tmp
        create mask = 0700
        printable = Yes
        browseable = No

# End of file

3. Setting up users
smbclient -a john adds john and prompts you for john's password.  Unless
you have lots of users, repeat this for each.  If you have too many for
this to be practical, configure SWAT which allows you to manage users
and groups from a remote web-browser.  SWAT is very easy to use but if
you need to use it there is detailed documentation including an O'Reilly
book in html format on

4. Setting up client machines
Windows 2000 machines will now just work if the username on the machine
is the same as the account name you set up on the samba server.  If not
the same, then map network drives and take the option use the drive
under the name and password you set up on the server.

You might consider creating a batch file called login.bat in the startup
group of client boxes that goes as follows:

net use h: \\\homes /persistent:no

net use i: \\\data /persistent:no

net use j: \\\system /persistent:no

5. Starting samba
Create a file in /etc/init.d called samba and paste the following in:

# Begin /etc/init.d/samba

# Include the functions declared in the /etc/init.d/functions file

source /etc/init.d/functions

case "$1" in
                echo -n "Starting Samba daemon..."
                loadproc /usr/local/sbin/nmbd

                echo -n "...Samba daemon started!"
                loadproc /usr/local/sbin/smbd

                echo -n "Stopping Samba daemon!"
                killproc smbd

                echo -n "...Samba daemon stopped."
                killproc nmbd

        echo -n "Reloading Samba daemon configuration file..."
                reloadproc smbd
        ireloadproc nmbd

                $0 stop
                /usr/bin/sleep 1
                $0 start

                statusproc /usr/local/sbin/nmbd
                statusproc /usr/local/sbin/smbd

                echo "Usage: $0 {start|stop|reload|restart|status}"
                exit 1


# End /etc/init.d/samba

To start samba, simply enter /etc/init.d/samba start

To have samba start every time your machine starts, run the following

chmod 754 /etc/init.d/samba &&

ln -s  ../init.d/samba /etc/rc0.d/K400samba &&

ln -s  ../init.d/samba /etc/rc1.d/K400samba &&

ln -s  ../init.d/samba /etc/rc2.d/K400samba &&

ln -s  ../init.d/samba /etc/rc3.d/S600samba &&

ln -s  ../init.d/samba /etc/rc4.d/S600samba &&

ln -s  ../init.d/samba /etc/rc5.d/S600samba &&

ln -s  ../init.d/samba /etc/rc6.d/K400samba

6. The end
Congratulations.  You now have a fileserver set up that is safe, stable
and secure.

More information about the hints mailing list