Deploying Suse Linux Enterprise Server
 |
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
Configuring the Samba Server
- Introduction & Samba Configuration
- Samba Server Roles & Backends
- Users, Groups & Computer Accounts
- Samba Shares
- Sharing Printers through Samba
- Additional Domain Controller Functions
- Relevant Samba Parameter Reference
Samba Shares
Once you have the Samba Server Role, the Samba Backend and the framework to start adding data into the Samba backend in place, you can then focus on creating Samba Shares that will allow your users to store and share files/folders on your Samba Server.
As you create these Samba shares, the number one objective you want to keep in mind is how to implement a good security policy without forcing the users to be computer experts. Unfortunately, most administrators, as well as Server Operating Systems (including Microsoft Windows Servers) take the least secure way of handling this task, which is to simply allow everyone access to everything by default. However, with most Unix and nearly all GNU/Linux Operating Systems, the security aspect of the filesystem is quite secure by default. This forces the administrator to look for a more secure approach of implementing file sharing on the server, rather than taking the "readable/writable by everyone" approach.
Although most GNU/Linux Distributions now have support for POSIX ACLs (Access Control Lists), the technique that I am going to show you simply takes advantage of the user's group membership information. This allows you to specify that only Group A or Group B can access and/or write to a share. For instance, I will show you how to implement a Samba share named "Office" where only the members of the "office" group will be able to read and write to it.
Creating Samba Shares
If you remember from the first part of this Chapter, Samba is configured through a single configuration file, smb.conf. This file is separated into two parts, the [global] section and a section for every share available on your server. Here is a sample share directive:
[share1]
comment = Testing Share
read only = No
inherit acls = Yes
path = /srv/exports/share1
Ordinarily you simply edit the smb.conf file and add any share you want on your server, however with Suse Linux Enterprise Server you can utilize the Yast Samba Server module to add any shares you need for your server.
Samba Share Tab of the Samba Server Yast module
Now that you have the basic premises down, I am going to step through creating a share for all of the office workers on your network. For this to work properly, you must already have the group created within your system and have that group mapped to a Samba Group (covered in an earlier section).
First, create the directory you are going to use for the share. You also must prep this directory by giving the correct group ownership and permissions. For instance, I usually do the following:
mkdir /srv/exports/office chgrp office /srv/exports/office chmod 2770 /srv/exports/office
This will ensure that the "office" group can write to the directory, while at the same time ensuring that any file or directory added within this directory will be owned by the office group, this is done in case someone accesses this directory from the server or through NFS. (See Appendix I for more information regarding File Permissions.)
Once the directory is "prepped" you can create the share directive within the smb.conf file. The directive I usually use is listed below. Note how I make use of different samba parameters to ensure that only members of the "office" group can access the share.
[office]
comment = Office Share
path = /srv/exports/office/
writeable = yes
browseable = yes
guest ok = no
printable = no
force group = office
valid users = @office
create mode = 0660
directory mode = 0770
inherit acls = Yes
veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/
To create this share on a SLES server, click on the "Add" button within the "Shares" tab of the Yast Samba Server module. This will launch the "New Share" screen where you can enter basic information about the share. Then you can click on the "Edit" button to adjust the advanced parameters of the share.
Creating a New Share and Editing with within SLES
Standard Shares to Implement
When you deploy a Samba Server as a Domain Controller, there are certain shares that you will probably need to implement in order for the server to operate correctly. Some of these shares are listed below, others are covered in other sections.
Homes Share
The Homes Share is a special share that will automatically create a share based on the Username of the person who logs into the client. This ensures that the user's files are readily available without forcing the administrator to create a new share for every user. This share is accessed through \\servername\username
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
Netlogon Share
In order to support advanced functions of a Primary Domain Controller, you must create a "Netlogon" share. This share is automatically connected to from a client upon login. You can utilize this share to implement Logon Scripts, System Policies and Network Default Profiles. These implementations are discussed later. Just ensure that everyone logging into your Domain can read the contents of this share.
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
Users Share
Since every user has their own directory, sometimes it may be worthwhile to implement a share that is accessible by the Network Administrators to allow them to have access to all of the User's home directories. Please be aware that you probably need to address any security concerns with the Network's Owner before you implement this share to ensure that you don't inadvertently overstep the organization's computer or network policies.
[users]
comment = All users
path = /home
read only = No
valid users = @ntadmins
create mode = 0660
directory mode = 0770
inherit acls = Yes
veto files = /aquota.user/lost+found/
Note: Windows networking is a very complex subject and this section simply covers the basics of creating Samba Shares. You may run into advanced issues concerning file locks, filesystem semantics, etc. For more information on these issues visit the Samba Website to access additional documentation or subscribe to mailing lists.
|
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
