Now quite often in one local network you can find computers running Linux and Windows. The reasons for such symbiosis can be different: for example, the owners of the Internet cafe did not have enough funds to purchase a licensed OS for all computers, or system administrator Just attracted positive parties Linux. The popularity of Microsoft operating systems is largely determined by client software for Windows. It is no secret that this Software Sector is very developed. Many firms have made serious efforts to this and created really good, and most importantly, convenient to use programs that can easily master the ordinary user. But as a server position Windows already Not so unequivocal. The Unix server is traditionally distinguished by reliability, stability in operation, safety and often smaller system resource requirements. But in any case, simply by connecting computers with different software platforms to the network, we will not get the expected result. The whole problem is that these two systems use different principles of the organization of network resources incompatible with each other.
Since the gravity of Microsoft does not have to wait, and Windows is unlikely to learn to work with the UNIX network file system (NFS) with standard tools, and third-party programs, to be honest, I don't know, the most popular way is the attempt to teach UNIX "pretend" He would be Windows NT.

Interaction in the network of computers running Windows built on the use of the protocol SMB (Server Message Block)- Blocks of server messages. It provides all the tasks of opening and closing, reading and writing, searching for files, creating and deleting directories, setting the task for printing and removing it from there. All necessary for this action are implemented in UNIX-like operating systems through the use of the package Samba.. The possibilities can be divided into two categories: the provision of resources (under which it means access to the system of printers and files) for windows customers and access to customer resources. That is, a computer running Linux can act as the role of the server and the client. To begin with, consider the SAMBA server version.

What should Samba provide for normal operation on the Windows Machines? First, access control, which can be implemented either at the resource level (Share Level), when a password is assigned to any resource on the network and the corresponding use rules (for example, read-only), and the username does not have absolutely no value; Or a more advanced and flexible organization at the User level, when an account is created for each user, where, in addition to the name and password, it contains all the necessary information about the rights to access the resource. Before you access the required resource, each user passes authentication, after which it is given rights according to accounts. Secondly, it is necessary to emulate the rights of access defined by the File System. The thing is that the system of access rights in question and the disk catalogs are organized in different ways. In UNIX, there are traditionally three categories of users of files: owner (owner), group (Group)and other. Each of these subjects can be provided reading Rights (READ), recording (WRITE)and execute (execute). In Windows NT, the access system is somewhat flexible, access is provided to multiple groups or users, and the corresponding access rights are determined separately for each entity. Therefore, it is impossible to fully emulate the Samba tools in NTFS.

With clients running Windows 9X.The situation is different. Since the time of the grandfather of Dosa, due to the fact that the system is single-user and about no users and even more groups and could not be speech for file System FAT defined only four attributes - only reading (read only), system (SYSTEM), archive (Archive) and hidden (hidden). Plus, everything in Windows, unlike UNIX, has a special meaning of the file extension - those that are intended for execution have extensions.exe, .com or.bat. When copying files from UNIX machines to computers running Windows, attributes are installed as follows:

only for reading- reading, recording for the owner;

archival - execution for the owner;

systemic - execution for the group;

hidden - execution for the group.

The network of Windows machines can be organized as a working group (workgroup) when computers are independent of each other and each has its own password base and login with their security policy, as well as the NT domain. The entire base for authentication of users and computers is managed. chief Domain Controller (PDC, PRIMARY DOMAIN CONTROLER). centrally. SAMBA allows you to restrict access at all these levels and performs the functions of the "main browser" in the context of the working group or the domain controller.

With corporate issues dealt with. Let's see now specifically to implement and configure the Samba server in Linux. For the samba server, it is necessary to run two demon: sMBD.providing the operation of the print service and separating files for Samba clients (such as Windows of all stripes), and nMBD.providing NetBIOS name service (it can also be used to request other names of names of names). Protocol is used to access customers TCP / IP.. As a rule, Samba is installed along with the Linux distribution. How to check? Just give the command:

$ WHEREIS SAMBA.

and you must get something like this:

Samba: / usr / samba / samba / etc / samba / samba/share/man/man7/samba.7.gz

If it does not turn out to be in the standard delivery, then welcome to ftp://ftp.samba.org/pub/samba/samba-lateest.tar.gz or practically any server with programs for Linux. The package is easy to install, so not to take places, we assume that it is installed. Now let's check if the demon launched:

$ PS -Aux | Grep SMBD ROOT 1122 0.0 0.6 4440 380? S 16:36 0:00 SMBD -D

I already have, as you can see, running. If you do not have, and you want it to run when loading the system, then in Linux Mandrake, for example, check the item in Drakconf.— start Servicesor in Red Hat Sontrol-Panel— Servise Configuration.This usually happens enough. Or manually run: ./etc/rc.d/init.d/smb Start. The only SAMBA configuration file is called SMB.conf and is usually in the / ETC directory (although Altlinux, for example, it lies in the / etc / samba directory). Samba reads it every 60 seconds, so the changes made to the configuration take effect without rebooting, but do not apply to already established compounds.

That's what I love Linux, it is for the fact that configuration files are conventional text (besides well commented inside), and in order to use most of the parameters, it is enough to solve the corresponding line. File SMB.conf is no exception. It consists of named sections starting with the name of the section concluded in square brackets. Inside each section there is a number of parameters in the form Key \u003d Value. The configuration file contains four special partitions:, and individual resources (Shares). As the name follows, the section contains the most common characteristics that will be used everywhere, but which, however, can then be overridden in sections for individual resources. Some parameters of this partition are related to the configuration of the SAMBA client part.

Typical Settings Section global:

WorkGroup \u003d Name group # Name of the Working Group NetBios Name \u003d Server Network On Server String Network \u003d Comment that is visible in the Guest Ok \u003d YES Viewer Properties window (Guest OK \u003d NO - Guest Login is prohibited) Guest Account \u003d Nobody # Name under which the guest input is allowed in the Security \u003d User # level of access. User - at user level, Security \u003d Share - authentication based on the name and password. When storing the password base on another SMB server, use the values \u200b\u200bof Security \u003d Server and Password Server \u003d Name_Server_NT. If the server is a member of the domain, use the Security \u003d Domain value, the access password is specified in the file defined using the SMB Passwd File \u003d / Path / To / File option.

In addition, when registering can be used encrypted and unencrypted (Plain-Text) Passwords. The latter are used in old windows (Windows for Workgroups, Windows 95 (OSR2), all versions of Windows NT 3.x, Windows NT 4 (to Service Pack 3)). To enable the encrypted password option, the Encrypt Password \u003d YES option is used. Please pay special attention to this option. In older distributions Linuxwhich were created in the era of Windows 95 (and with more old version Samba) by default password encryption is disabled, and Samba to version 2.0this regime does not support at all (by the way, this option and similar to it - those that do not concern access to specific resources are used in the client).

For proper display Russian file names need the following options: Client Code Page \u003d 866 and CHARACTER SET \u003d KOI8-R. In distributions with good localization, for example, derivatives from Mandrake and Russians, this line is already there, sometimes it is enough to simply revaluate, but in most others it must be addicted to himself.

The interfaces \u003d 192.168.0.1/24 option indicates which network should work in which network (interface) if the server is connected immediately to several networks. When installing the BIND interfaces only \u003d yes, the server will respond to requests only from these networks.

hosts Allow \u003d 192.168.1. 192.168.2. 127. - Specifies customers for which access to the service is allowed.

In the Global section, it is possible to use various variables for more flexible server operation. After installing the connection, real values \u200b\u200bare substituted instead. For example, in the Log File \u003d /Var/log/samba/%M.LOG directive, the% m parameter helps determine a separate log file for each client machine. Here are the most common variables used in the Global section:

% A - OS architecture on the client machine (possible values \u200b\u200b- Win95, Win NT, Unknown, etc.);

% m - NetBIOS-name of the client's computer;

% L - NetBIOS name SAMBA server;

% V - SAMBA version;

% I - the IP address of the client's computer;

% T - date and time;

% u - the name of the user working with the service;

% H - home directory of user% u.

Also, the Include directive using the above variables is used for a more flexible setting. For example: include \u003d /etc/samba/smb.conf.%M - now when requesting from a computer Sales if there is a /etc/samba/smb.conf.sales file, the configuration will be taken from this file. If a separate file is for some machine, there will be no sharing file to work with it.

There is also an interesting opportunity. creating a virtual server. To do this, use the NetBIOS Aliases parameter:

NetBIOS Aliases \u003d Sales Accounting Admin

Now order a samba so that for each virtual server it uses your configuration file:

Include \u003d /etc/samba/smb.conf.%L.

Three servers will be visible in the network browser window: sales, accounting., admin..

Enabling PRESERVE CASE and SHORT PRESERVE CASE parameters cause the server to save all the information you enter, taking into account the symbol register (in Windows, the register does not matter, in all UNIX - on the contrary).

The section allows users to connect to their working catalogs without explicitly described. When requesting the client of its directory // Sambaserver / Sergej, the machine is looking for an appropriate description in the file and if it does not find it, then browsing the presence of this partition. If the section exists, the password file is searched for to search for the user's working directory by sending a request, and when it makes it available to the user.

A typical description of this section looks like this:

Comment \u003d Home Directories # Comment that is visible in the Browseable \u003d NO # network properties window determines whether to output the resource in the view list. Writable \u003d Yes # Allows (no - prohibits) Recording to the Create Mode \u003d 0750 # Home directory of access for newly created files Directory Mode \u003d 0775 # too, but only for directories

After configuring the default settings, you can create network resourcesAccess to which a specific user or group of users can get access. This resource is created from the already existing directory, for this in the file we write:

Comment \u003d Public Stuff Path \u003d / Home / Samba Public \u003d YES Writable \u003d NO Printable \u003d No Write List \u003d Administrator, @salees

The PATH parameter indicates a directory in which the resource is located; PUBLIC parameter indicates whether the guest can use the resource, and Printable is whether this resource can be used. The WRITE LIST parameter allows you to identify users that are allowed to write to a resource, regardless of the Writable value (in this example, this is an Administrator user and the Sales group). It is possible to use and the opposite list - Read List. If there is a need to hide some files, then in UNIX / Linux for this file name must start from the point (the Hide Dot Files parameter, which adjusts the display hidden files, the default is equal yes). In addition, it is possible to set the name templates of hidden files, for which the Hide Files parameter is used. Each pattern begins and ends with a slash symbol (/) and may contain characters used in regular expressions. For example: Hide Files \u003d /*.log/??.tmp/. Such tricks are bypass users of Windows just setting the "Show hidden and system files" mode of the conductor. For confident availability limit (deletion capabilities) File (directory) Use the Veto Files and Delete Veto Files parameters.

With CD drives the situation is somewhat more complicated. The fact is that in UNIX-like systems, the concept of a disk is missing as such, and in order to access the desired device, it should initially be mounted in the directories tree (# Mount -t ISO9660 / DEV / CDROM / MNT / CDROM) , And after use, not to destroy the file system, necessarily unmounted (# umount / dev / cdrom), otherwise the device simply will not give the disk. If you have a demon on the server autofs.The problem is simply solved. In order for a device that is not used for some time, it was automatically unmounted, set the desired Timeout parameter value in the /etc/auto.master file. For example:

/ MNT / AUTO / etc / --timeout \u003d 5

(Such a row is already there, it only needs to be reduced). Then set the parameters for the appropriate device in the /etc/auto.tab file:

Cdrom -fstype \u003d auto, ro: / dev / cdrom

After all, we prescribe the following lines in /etc/smb.conf to make this resource available:

PATH \u003d / MNT / CDROM WRITABLE \u003d NO

The second option is to use the Preexec and Postexec directives, which indicate which commands must be performed when accessing the resource and after disconnecting from it (these parameters can be specified for any resource and even in the Global section, which opens up great opportunities).

PATH \u003d / MNT / CDROM read only \u003d yes root preexec \u003d mount / mnt / cdrom # mount resource has the right only root root postexec \u003d umount / mnt / cdrom # naturally, these mount points should be described in the / etc / fstab file, otherwise You must specify the rest of the data.

Now the CD-ROM is automatically mounted when accessing the resource, and sometimes unmounted. The whole problem is that the decision to close the resource must take the server - customers, as a rule, are not informed about it. But usually it happens because a resource simultaneously uses several users at once or on one computer is left open File On this resource (Device Busy). Therefore, the CD-ROM is not automatically unformed, the only acceptable way to free up the resource is to see using the utility. smbStatus.the process number using this resource and kill it with the # kill PID_Number (or Kill -S Hup Pid_Number) command.

By setting the necessary configuration, now create user accounts (with the exception of guest entry with minimal NOBODY rights). SAMBA user identification uses / etc / samba / smbpasswd, which contains names and encrypted user passwords. Since the encryption mechanism in Windows-machine networks is not compatible with standard UNIX-mechanisms, a separate utility is used to fill the password file - sMBPasswd..

# USERADD -S / BIN / FALSE -D / HOME / SAMBA / SERGEJ -G SALES SERGEJ # SMBPASSWD -A SERGEJ # SMBPASSWD SERGEJ

This example adds new user sergej.belonging to the group sales, with a fictitious shell (options / sbin / nologin, / dev / null) and home catalog / home / samba / sergej. Then create a password for the user SergeJ and recent step Turn on the user access, because By default, it is disabled. An interesting point that can sometimes confuse. The fact is that when connected to the computer's Samba-server with Windows NT / 2000, the user is invited to enter, as it should be, login and password, and if a computer is used to access the Windows 9x / Me OS, the user is invited to enter only the password, and Login is formed automatically based on the registration name.

You can also map multiple Windows users to one Linux / Unix user. To do this, the /etc/smbusers.map mapping file is created, in which each mapping is specified by each row:

User_ Linux \u003d user_win1 user_win2 user_winn

In the section, add the Username Map \u003d /etc/smbusers.map string. Wherein windows user Must register with the password of the user with whom it is compared.

FROM using samba. You can organize the ability to network printing from computers running Windows (if a separate print server is planned, then there can be enough machines on the basis of 486 processor).

To do this, in the section you need to record such lines:

Printcap Name \u003d / etc / Printcap # file descriptions connected to the Load Printers \u003d Yes # system indicates the need to automatically turn on the printing list Printing \u003d LPRNG # print system (for Linux can still be used BSD).

PATH \u003d / VAR / SPOOL / SAMBA # Indicates a directory in which the print jobs are placed Browseable \u003d YES Printable \u003d YES Read Only \u003d YES

After creating a file, test it with the utility testParm.. Unfortunately, using this program, you can detect only syntactic errors, and not logical, so there is no warranty that the services described in the file will work correctly (all installations will be displayed when testing, even those that are set by default are attentively reviewing result). But if the program does not swear, you can hope that when starting the file will be downloaded without problems. Correctness printers worklisted in the / etc / printcap file, with the Samba server you can check with the utility testPrns.. Plus Do not forget about.Log files: If there are problems, you can sometimes find a solution.

Now a little about good. SAMBA configuration is a rather complicated procedure, but a WEB-based administration tool is supplied with a distribution. swat.(Samba Web Administration Tool,). Swat starts in the form of a service or using the Apache server and is designed to edit the SMB.conf file, as well as to check the status, start and stop SAMBA demons, change user passwords. To work in the form of service, the file / etc / service must be attended by the SWAT 901 / TCP string, and in the /etc/inetd.conf file - Swat Stream TCP Nowait.400 root / USR / Local / Samba / Bin / Swat SWAT (this is if a network demon is used inetd., as a rule, in old distributions; In modern distributions, a more secure option is used - xinetd.). To use SWAT in the /etc/xiNet.d directory, create a SWAT file of such a content:

Service SWAT (Disable \u003d NO port \u003d 901 socket_type \u003d stream wait \u003d no only_from \u003d 127.0.0.1 # is a string to start only from the local machine user \u003d root server \u003d / usr / sbin / swat log_on_failure + \u003d userid)

Now to start the SWAT in the browser window, enter:

Http: // LocalHost: 901

But before this, be sure to create a user admin.the method described above. And never start the Samba service on behalf root.

After all changes in the file, SMB.conf sometimes need to restart the demon:

SMB: /etc/rc.d/init.d/smb Restart

If after all of the listed actions, it was not possible to organize access to SAMBA resources, such utilities will help in further configuration. ping.(To check the availability of a node on the network), nmblokup.(To query NetBIOS names), or to the extreme case tCPDUMP.. And do not forget about access rights, because I assign directory to the user / GDE / TO / W / Glubine for the user, you will provide him with the opportunity to read (right to execute) and previous directories.

Now let's talk about using the Samba client, because we (Linux users) also want to work with Windows network resources. In order to find out which resources are available, you must enter the / usr / bin / smbclient -l host_name command. The program will request a password, in response to which in most cases it is enough to press ENTER. Now, to connect to the desired resource, enter the computer name and the required resource. For example:

# / usr / bin / smbclient \\\\ alex \\ sound

(Here we try to connect to the SOUND folder on the ALEX computer). As a result, if the command is entered correctly and such a network resource exists, you must receive an invitation to enter the password. Enter it or press Enter if the password is not needed for access. In response, you will receive an invitation to Samba-client: SMB:\u003e. In the future, the work occurs by a set of commands, with which you can produce all the necessary operations for working with files (copying, creating, movement, etc.). For help, enter SMB:\u003e HELP. This mode is somewhat inconvenient, so in most cases the module is used sMBFS.included in samba; But in oldest distributions, the kernel can be collected without SMBFS support, and then it will have to rebuild it. In order to mount the required resource, type something like this:

MOUNT -T SMBFS -O UserName \u003d User, Password \u003d 123456, ocharset \u003d Koi8-R, CodePage \u003d 866 // Alex / Sound / MNT / SOUND.

If you do not specify the username and password, the system itself will ask you. Do not forget that by viewing the ~ home / .bash_history file, you can, by the commands that you gained, find out the password. Another subtlety: if the SmbClient program displays the files with Russian names correctly, the SMBFS module sometimes does not pay absolutely no attention to another encoding, even if you specify it clearly. They say it can be corrected by a patch, but I haven't found it for my red hat yet.

If you want the SMB resource to be mounted automatically when the system is started, add approximately such a line to the / etc / fstab file:

//[Email Protected]/ Sound / MNT / Alex / Sound SMBFS RW, NoAuto 0 0.

In this example, on behalf of the user guest(If the resource supports this user and if this user has access only by password, do not worry: you will certainly ask it) SOUND network resource on the ALEX computer is mounted in the / MNT / ALEX / SOUND folder with the ability to write to this directory. By the way, the Samba client perfectly sees hidden network resources, i.e. Those who have a network name ends with $.

As you can see, you have to work with command linewhich the modern user causes a quiet horror. And here the world of OpenSource went to meet him - a lot of utilities created, allowing to work with Samba resources more familiar, pressing the buttons in the graphic shells. The most popular program belonging to the Mandrake distribution and derivatives from it, as well as Debian - gnomba.. In any case, it can be found on most servers with software for Linux (on ftp://ftp.altlinux.ru/ saw exactly). This utility allows you to view available network resources () and, if necessary, mounted on the desired directory, and an option of mounting is possible with an indication of the input log and password for those resources that you need. Possible launch file Manager when mounting (default gMC.), Creating directories for mounted resources, setting the automatic scanning option when you start the program (possibly using the default SMB protocol) and scan by IP addresses (scheduled using WINS protocol). For non-clear reasons in some distributions when scanning with the SMB protocol, network resources were not displayed, so I always use the second method, it acts correctly, you only need to set the range of IP addresses to scan (if you know). In order to display the right Russian file names, do not forget to install Koi8-R fonts in the tab Options\u003e Font selection, as well as check the strings indicating Cyrillic encoding in the SMB.conf file (see above).

If gnomba can only mount and unmount resources, then the program xsmbrowser.allows you to enter them as in the folder on the local computer (). True, I have not yet been able to force this program to understand the files with Russian names, but there are also positive parties: when this program is working, all teams on mount and various network requests are displayed on the console, which makes it easy to understand them. KDE developers also tried: through Preferences\u003e Informationutility available Samba Status.Displays all connections to / from a local computer, which is simultaneously convenient to view .Log files. Similar information represents the utility komba.which can be found at http://linux.tucows.com/ ().

No matter how much I want to tell you more, but the magazine has a magazine - you will not fit all. Next to help you will come omnipresent MAN and Info. Also, all the necessary reference information can be obtained from the SWAT utility, and also in Red Hat 7.3, the book Using Samba has been found Robert "a eckstein" a(English language is bad, completely free - well: / usr / share / swat / using_samba), affordable also from SWAT (). The / usr / Share / Doc / Samba catalog you can find additional documentation, FAQ and examples of configuration files. In various forums, you can find quite controversial opinions about the work of Samba, from extremely negative to complete delight. Personally, I am on the side of this windows emulator NT, In addition, according to the results of tests with the same hardware, the SamBA server shows a capacity of approximately 25-30% higher than a computer running a Microsoft system. Successes.

Samba is a program that allows you to access network disks on various operating systems using SMB / CIFS protocol. It has a client and server part. It is free software, released under the GPL license.
Samba works on most UNIX-like systems, such as GNU / Linux, POSIX-compatible Solaris and Mac OS X Server, on various BSD versions, in OS / 2, Windows. Samba is enabled in almost all GNU / Linux distributions, including, of course, in Ubuntu.
Installation

To make a shared folder in Ubuntu Desktop it is enough to click on the right mouse button on the folder and select the "Publish folder" menu item. There are no configuration files to edit any configuration files. Everything described below applies only to manual configuration, for example, in the case of creating a file server.
To install, just open the terminal and enter:

sudo Apt-Get Install Samba

The application will be automatically loaded and installed.

Setting

Using the terminal, make a backup of the initial configuration file:

Sudo cp /etc/samba/smb.conf(,.bak)

Now you can edit the /etc/samba/smb.conf settings file, to do this, open it in any text editor with superuser rights. For example, so:

Sudo nano /etc/samba/smba.conf SAMBA setup example as an offline file server with authorization :; Global server settings; General Server Settings; The name of the computer that will be displayed in the network environment of NetBIOS Name \u003d Main-Server Server String \u003d; Workgroup working group Workgroup \u003d Workgroup Announce Version \u003d 5.0 Socket Options \u003d TCP_NodeLay iptos_lowdelay SO_KEEPALIVE SO_RCVBUF \u003d 8192 SO_SNDBUF \u003d 8192 PASSDB BACKEND \u003d TDBSAM Security \u003d User NULL Passwords \u003d True; USERNAME MAP \u003d ETC / SAMBA / SMBUSERS NAME RESOLVE ORDER \u003d HOSTS WINS BCAST; WINS Support is installed in YES if your NMBD (8) in the samba is a WINS server. Do not install this option in YES If you do not have several subnets and you do not want your NMBD to work like WINS server. Never install this parameter in YES more than one machine within the same subnet. WINS Support \u003d NO; Printing printer support \u003d Cups Printcap Name \u003d Cups; Log file log file \u003d /var/log/samba/log.%M syslog \u003d 0 syslog only \u003d no; Setting the binding to interfaces to which listen, if not listens to all interfaces; interfaces \u003d lo, eth0; bind interfaces only \u003d true; ; ; path \u003d / var / lib / samba / printers; browseable \u003d yes; Guest Ok \u003d YES; read only \u003d yes; Write List \u003d root; Create Mask \u003d 0664; Directory Mask \u003d 0775; ; ; PATH \u003d / TMP; printable \u003d yes; Guest Ok \u003d YES; browseable \u003d no; ; ; path \u003d / media / cdrom; browseable \u003d yes; read only \u003d yes; Guest Ok \u003d YES; Hard disk ball; The name of the balls is visible from customers; Path to the shackled Disk Path \u003d / Media / SDA1; Is it possible to view browseable \u003d yes read only \u003d no guest ok \u003d no create Mask \u003d 0644 Directory Mask \u003d 0755; Binding to a specific username or group, names via space; Force User \u003d User1 User2; Force Group \u003d Group1 Group2; Another hard disk, by analogy with the fact that above Path \u003d / Media / SDE1 browseable \u003d YES read only \u003d no guest ok \u003d no create Mask \u003d 0644 Directory Mask \u003d 0755

Now you have to deal with users.

Samba uses users who already exist in the system, take for example the username, let's say that it is already in the system, you need to enter it into the SMB database and assign a password to access the shared resources, make it a team:

SMBPasswd -a user.

You will be prompted to enter a password, the user will be added to the database, now it is necessary to enable this user.

SMBPasswd -e user.

Next, create a pseudonym for the username User to make it easier to access Windows machines on which we have for example named Admin, for this we will create and edit the file / etc / samba / smbusers:

Sudo Touch / etc / Samba / Smbusers Sudo Gedit / etc / samba / smbusers

Enter a pair of lines to file

# Unix_name \u003d SMB_NAME1 SMB_NAME2 User \u003d Admin

On this setting is completed, restart Samba.

SAMBA File Server for Windows Network

Very often, Samba is used to create a file server in Windows network.

File Server in Active Directory Domain

In order to create a file server integrated into the Active Directory domain, you first need to enter your car with Ubuntu into the domain. Separate article is devoted to this:

To create a file server, you do not need to configure PAM, it is enough to add domain users and groups through WinBind to the system.

After a successful login in the domain, you will only need to configure shared resources on your computer.

It is necessary to immediately pay attention to one very important thing: Samba is trying to predict the rights to Windows files to UNIX rights, however, due to the cardinal differences in the assignment mechanisms, it is not always possible. Note that the rights to files are always and in any case are controlled by your file sytene on a computer with Ubuntu, the samba can only adapt to them, but not change their behavior.

Therefore, by default, there will be very scarce access control opportunities in shared resources - the purpose of different rights for the user, groups and all others. However, it is easy to fix by adding POSIX ACL to your FS. In this case, you can assign various rights to various users and groups practically as in Windows.

POSIX ACL support is at least in EXT3 / 4, you need to simply add the ACL parameter to the activation options to activate it.

It is important that the directory you want to shake through Samba lay on a disk mounted with the ACL option. Otherwise, you will not be able to fine-use the disarming mechanism for the rights of access to files on the balls.

There is another very important point: POSIX ACL does not support the inheritance of access rights from parental directories, and in Windows this feature is present. Therefore, Samba has implemented an additional mechanism for saving information about inheriting access rights, which uses extended file system attributes. Therefore, Samba can correctly handle the rights inheritance other than the ACL to the file system mount options, you need to add the user_xattt parameter, which is just responsible for including the support of extended attributes.

For example, I always use separate LVM discs to organize shared resources and I have a line in FSTAB for them look like this:

/ Mapper / Data-Profiles / Var / Data / Profiles Ext3 Defaults, NOEXEC, ACL, User_XATTR 0 2

The Noexec option is needed because on the balls for Windows 100% should not be executed Linux files, and it will not hurt once again.

To work with ACL on Ubuntu, you need to install the package of the respective utilities:

Sudo Aptitude Install ACL

Then to view extended rights (i.e. ACL) to the file or directory can be a command

GetFacl File.

And install the team

SetFacl File.

Just in case, I want to pay attention to the fact that the POSIX ACL mechanism has nothing to do with Samba is just a superstructure over the standard deletion mechanism of rights in Linux. Accordingly, Samba can use it, but cannot somehow change or bypass.

To work with advanced attributes, the FS will need very similar to ACL package utilities - ATTR, which can be installed by the command

Sudo Aptitude Install ATTR

You can use the command to view extended attributes.

GetFattr File.

And for installation

SetFattr File.

However, there is one small snag. The fact is that Samba stores all the information about inheritance in binary form in the only extended user.samba_pai attribute. Therefore, it will not be possible to change something using SETFATTR, only except to completely delete extended attributes (sometimes it may be necessary to do).

Well, to control the inheritance of rights you will have to make a Windows machine with the help of full-time tools of this system. Either using the SMBCACLS utility, if you figure it out how to use it.

There is also an experimental VFS ACL_XATTR module that allows you to store NT ACL completely in extended attributes. Unfortunately, there is no documentation on it, so something intelligible to say it is difficult to say. It is expected that Samba 4 will be full integrated support for NT ACL, and so far you can use what is.

If you have something to add about extended attributes in Samba and methods of working with them - be sure to write on this topic on the forum. I would be grateful for any references, articles and comments on the topic.

In addition, extended file system attributes allow you to include in Samba full support for DOS file attributes, such as hidden, archive, etc.

So, we will assume that you have in the system the directory you want to solve via Samba (and it is on a disk, typed with ACL and User_xattr support). Now you need to properly adjust it. To do this, you need to make appropriate information to the /etc/samba/smb.conf file.

Let's start with general settings that can be added to the section of this file (this is not all possible parameters, just a few sufficiently useful of them):

# Disable loosening printers. If you certainly really do not want to share them. # For a complete shutdown You need to specify all 4 lines below Load Printers \u003d No Show Add Printer Wizard \u003d No Printcap name \u003d / dev / null disable spoolss \u003d yes # Make hidden when viewed with windows with the following Hide Files \u003d / $ Recycle names .Bin / desktop.ini / Lost + Found / thumbs.db / # Use for a ball with public access of the next UNIX user as a Guest Guest Account \u003d Nobody # to perceive as a Guest of unregistered users of Map to Guest \u003d Bad User ## Settings using extended file system attributes # handle rights inheritivity using advanced attributes FS MAP ACL Inherit \u003d YES # use extended FS attributes for storing attributes DOS Store DOS attributes \u003d yes # Disable Mapping DOS attributes on UNIX rights included by default # according to man smb.conf Using extended attributes These options are required to be turned off Map Archive \u003d No Map System \u003d No Map Hidden \u003d NO Map readonly \u003d n O.

Now settings directly shared resource. I have it called profiles, and physically on Ubuntu car is located at / Var / Data / Profiles:

Comment \u003d User Profiles # way to the folder, which is ocked by Path \u003d / Var / Data / Profiles / # Users with unlimited rights access to the ball # I have a group of domain administrators. These users when working with files are perceived as local root admin users \u003d "@domain \\ domain administrators" # Hide folders to which the user has no access Hide UnreaBLE \u003d YES # access not only reading read only \u003d No # masks for the created files - You can ask at the request #Create Mask \u003d 0600 #directory Mask \u003d 0700 # Disable locks - it is better to turn off Locking \u003d NO

There are many other options - for details you should contact the SAMBA documentation.

Do not forget to put the right owner and access rights to the folder that you share, and even despite any samba settings in it can be prohibited at the level of Linux rights. I usually do this:

Sudo Chmod UG + RWX / VAR / DATA / PROFILES Sudo Chown Root: "Domain users" / var / data / profiles

Note, since your Ubuntu machine is entered into a domain, you can use users and domain groups as file owners directly to Ubuntu.

Check the configuration of the Samba command

TestParm.

After that restart samba:

Sudo /etc/init.d/samba Restart.

Now you can get access to a shared resource from any domain machine.

By the way, do not forget about SGID and STICKY bits for directories. They will allow you to inherit the owner group and prohibit users to delete not their files - it can be very convenient for multiplayer storage. However, in contrast to editing rights from Windows, you will not get these bits on folders on a shared resource - only manually directly on the Ubuntu computer.

Among other things, SamBA allows you to organize the storage of previous versions of the files, which is sometimes useful when creating shared resources with user data.

Standalone File Server

Active Directory Domain is far from everyone. Therefore, it is often necessary to organize an autonomous file storage with its machine on Linux own system authorization. It is very simple to do it.

The main feature of such a file storage organization will be that all user information will be stored in the Samba database, accordingly add and delete users to the sambo, it will be necessary manually.

The most important thing is to determine the method of access to the resource. To change it, you need to properly set the value of the Security parameter in the /etc/samba/smb.conf file section. More than this parameter can be read or in official documentation.

Usually used Share or User.

Autonomous File Server without authorization

For home it is convenient for everyone to see everyone. This can be done if add 4 lines to the /etc/samba/smb.conf file section. Some can already exist.

Notebook - computer name that will be online. In addition, you need to install additional programs:

For Kubuntu, you also need to install SMB4K. After editing configs, you need to restart the service. In SystemD (starting from 15.04) restart looks like this:

You can see "balls" through the Nautilus file browser, Konkueror or so:

SMBClient -L 127.0.0.1

. Official documentation in English.

Sharing the folder on Ubuntu

Cate the folder to exchange files.

Add the following lines to the end of the /etc/samba/smba.conf file, replace your computer name with sump:

The folder will be open for reading and writing.