- Chapter 3. Using Samba as a server
- 3.1. Understanding the different Samba services and modes
- 3.1.1. The Samba services
- 3.1.2. The Samba security services
- 3.1.3. Scenarios when Samba services and Samba client utilities load and reload their configuration
- 3.1.4. Editing the Samba configuration in a safe way
- 3.2. Verifying the smb.conf file by using the testparm utility
- 3.3. Setting up Samba as a standalone server
- 3.3.1. Setting up the server configuration for the standalone server
- 3.3.2. Creating and enabling local user accounts
- 3.4. Understanding and configuring Samba ID mapping
- Linux samba reload config
Chapter 3. Using Samba as a server
Samba implements the Server Message Block (SMB) protocol in Red Hat Enterprise Linux. The SMB protocol is used to access resources on a server, such as file shares and shared printers. Additionally, Samba implements the Distributed Computing Environment Remote Procedure Call (DCE RPC) protocol used by Microsoft Windows.
- An Active Directory (AD) or NT4 domain member
- A standalone server
- An NT4 Primary Domain Controller (PDC) or Backup Domain Controller (BDC)
Red Hat supports the PDC and BDC modes only in existing installations with Windows versions which support NT4 domains. Red Hat recommends not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and Windows Server 2008 R2 do not support NT4 domains. Red Hat does not support running Samba as an AD domain controller (DC).
Independently of the installation mode, you can optionally share directories and printers. This enables Samba to act as a file and print server.
3.1. Understanding the different Samba services and modes
This section describes the different services included in Samba and the different modes you can configure.
3.1.1. The Samba services
Samba provides the following services:
This service provides file sharing and printing services using the SMB protocol. Additionally, the service is responsible for resource locking and for authenticating connecting users. For authenticating domain members, smbd requires winbindd . The smb systemd service starts and stops the smbd daemon.
To use the smbd service, install the samba package.
This service provides host name and IP resolution using the NetBIOS over IPv4 protocol. Additionally to the name resolution, the nmbd service enables browsing the SMB network to locate domains, work groups, hosts, file shares, and printers. For this, the service either reports this information directly to the broadcasting client or forwards it to a local or master browser. The nmb systemd service starts and stops the nmbd daemon.
Note that modern SMB networks use DNS to resolve clients and IP addresses. For Kerberos a working DNS setup is required.
To use the nmbd service, install the samba package.
This service provides an interface for the Name Service Switch (NSS) to use AD or NT4 domain users and groups on the local system. This enables, for example, domain users to authenticate to services hosted on a Samba server or to other local services. The winbind systemd service starts and stops the winbindd daemon.
If you set up Samba as a domain member, winbindd must be started before the smbd service. Otherwise, domain users and groups are not available to the local system..
To use the winbindd service, install the samba-winbind package.
Red Hat only supports running Samba as a server with the winbindd service to provide domain users and groups to the local system. Due to certain limitations, such as missing Windows access control list (ACL) support and NT LAN Manager (NTLM) fallback, SSSD is not supported.
3.1.2. The Samba security services
The security parameter in the [global] section in the /etc/samba/smb.conf file manages how Samba authenticates users that are connecting to the service. Depending on the mode you install Samba in, the parameter must be set to different values:
In this mode, Samba uses Kerberos to authenticate AD users.
For details about setting up Samba as a domain member, see Setting up Samba as an AD domain member server.
On a standalone server, set security = user
In this mode, Samba uses a local database to authenticate connecting users.
For details about setting up Samba as a standalone server, see Setting up Samba as a standalone server.
On an NT4 PDC or BDC, set security = user In this mode, Samba authenticates users to a local or LDAP database. On an NT4 domain member, set security = domain
In this mode, Samba authenticates connecting users to an NT4 PDC or BDC. You cannot use this mode on AD domain members.
For details about setting up Samba as a domain member, see Setting up Samba as an AD domain member server.
Additional resources
3.1.3. Scenarios when Samba services and Samba client utilities load and reload their configuration
The following describes when Samba services and utilities load and reload their configuration:
- Automatically every 3 minutes
- On manual request, for example, when you run the smbcontrol all reload-config command.
Note that certain parameters, such as security require a restart of the smb service to take effect and a reload is not sufficient.
Additional resources
- The How configuration changes are applied section in the smb.conf(5) man page
- The smbd(8) , nmbd(8) , and winbindd(8) man pages
3.1.4. Editing the Samba configuration in a safe way
Samba services automatically reload their configuration every 3 minutes. This procedure describes how to edit the Samba configuration in a way that prevents the services reload the changes before you have verified the configuration using the testparm utility.
Prerequisites
- Create a copy of the /etc/samba/smb.conf file:
# cp /etc/samba/smb.conf /etc/samba/samba.conf.copy
# testparm -s /etc/samba/samba.conf.copy
# mv /etc/samba/samba.conf.copy /etc/samba/smb.conf
# smbcontrol all reload-config
Additional resources
3.2. Verifying the smb.conf file by using the testparm utility
The testparm utility verifies that the Samba configuration in the /etc/samba/smb.conf file is correct. The utility detects invalid parameters and values, but also incorrect settings, such as for ID mapping. If testparm reports no problem, the Samba services will successfully load the /etc/samba/smb.conf file. Note that testparm cannot verify that the configured services will be available or work as expected.
Red Hat recommends that you verify the /etc/samba/smb.conf file by using testparm after each modification of this file.
Prerequisites
- Run the testparm utility as the root user:
# testparm
Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Unknown parameter encountered: "log levell" Processing section "[example_share]" Loaded services file OK. ERROR: The idmap range for the domain * (tdb) overlaps with the range of DOMAIN (ad)! Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] . [example_share] .
3.3. Setting up Samba as a standalone server
You can set up Samba as a server that is not a member of a domain. In this installation mode, Samba authenticates users to a local database instead of to a central DC. Additionally, you can enable guest access to allow users to connect to one or multiple services without authentication.
3.3.1. Setting up the server configuration for the standalone server
This section describes how to set up the server configuration for a Samba standalone server.
- Install the samba package:
# yum install samba
[global] workgroup = Example-WG netbios name = Server security = user log file = /var/log/samba/%m.log log level = 1
# firewall-cmd --permanent --add-service=samba # firewall-cmd --reload
# systemctl enable --now smb
Additional resources
3.3.2. Creating and enabling local user accounts
To enable users to authenticate when they connect to a share, you must create the accounts on the Samba host both in the operating system and in the Samba database. Samba requires the operating system account to validate the Access Control Lists (ACL) on file system objects and the Samba account to authenticate connecting users.
If you use the passdb backend = tdbsam default setting, Samba stores user accounts in the /var/lib/samba/private/passdb.tdb database.
The procedure in this section describes how to create a local Samba user named example .
Prerequisites
- Create the operating system account:
# useradd -M -s /sbin/nologin example
# passwd example Enter new UNIX password:password
Retype new UNIX password:password
passwd: password updated successfully
# smbpasswd -a example New SMB password:password
Retype new SMB password:password
Added user example.
# smbpasswd -e example Enabled user example.
3.4. Understanding and configuring Samba ID mapping
Windows domains distinguish users and groups by unique Security Identifiers (SID). However, Linux requires unique UIDs and GIDs for each user and group. If you run Samba as a domain member, the winbindd service is responsible for providing information about domain users and groups to the operating system.
To enable the winbindd service to provide unique IDs for users and groups to Linux, you must configure ID mapping in the /etc/samba/smb.conf file for:
- The local database (default domain)
- The AD or NT4 domain the Samba server is a member of
- Each trusted domain from which users must be able to access resources on this Samba server
Samba provides different ID mapping back ends for specific configurations. The most frequently used back ends are:
Linux samba reload config
Подскажите люди как заставить перечитать конфиги самбу, так чтобы самбу не перегружать, а то на сервер 1С крутиться и бегать в бухгалтерию и просить их выйти из нее как то не хорошо.
>Подскажите люди как заставить перечитать конфиги самбу, так чтобы самбу не перегружать,
>а то на сервер 1С крутиться и бегать в бухгалтерию и
>просить их выйти из нее как то не хорошо.
killall -HUP smbd
>>Подскажите люди как заставить перечитать конфиги самбу, так чтобы самбу не перегружать,
>>а то на сервер 1С крутиться и бегать в бухгалтерию и
>>просить их выйти из нее как то не хорошо.
>
>killall -HUP smbd
Никак
>>>Подскажите люди как заставить перечитать конфиги самбу, так чтобы самбу не перегружать,
>>>а то на сервер 1С крутиться и бегать в бухгалтерию и
>>>просить их выйти из нее как то не хорошо.
>>
>>killall -HUP smbd
>
>Никак
После killall -HUP smbd 1С отваливается :((
>>>>Подскажите люди как заставить перечитать конфиги самбу, так чтобы самбу не перегружать,
>>>>а то на сервер 1С крутиться и бегать в бухгалтерию и
>>>>просить их выйти из нее как то не хорошо.
>>>
>>>killall -HUP smbd
>>
>>Никак
>
>После killall -HUP smbd 1С отваливается :((У меня не отваливается. И не должно отваливаться. Из man 8 smbd: The configuration file, and any files that it includes, are automatically reloaded every minute, if they change. You can force a reload by sending a SIGHUP to the server. Reloading the configuration file will not affect connections to any service that is already established. Either the user will have to disconnect from the service, or smbd killed and restarted.
Удалить | Индекс форумов | Темы | Пред. тема | След. тема |