20.3.1 Configuring a Samba Server

To configure a Samba server:

  1. Install the samba and samba-winbind packages:

    # yum install samba samba-winbind
  2. Edit /etc/samba/smb.conf and configure the sections to support the required services, for example:

    [global]
    security = ADS
    realm = MYDOM.REALM
    password server = krbsvr.mydom.com
    load printers = yes
    printing = cups
    printcap name = cups
    
    [printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = yes
    writable = no
    printable = yes
    printer admin = root, @ntadmins, @smbprintadm
    
    [homes]
    comment = User home directories
    valid users = @smbusers
    browsable = no
    writable = yes
    guest ok = no
    
    [apps]
    comment = Shared /usr/local/apps directory
    path = /usr/local/apps
    browsable = yes
    writable = no
    guest ok = yes

    The [global] section contains settings for the Samba server. In this example, the server is assumed to be a member of an Active Directory (AD) domain that is running in native mode. Samba relies on tickets issued by the Kerberos server to authenticate clients who want to access local services.

    For more information, see Section 20.3.2, “About Samba Configuration for Windows Workgroups and Domains”.

    The [printers] section specifies support for print services. The path parameter specifies the location of a spooling directory that receives print jobs from Windows clients before submitting them to the local print spooler. Samba advertises all locally configured printers on the server.

    The [homes] section provide a personal share for each user in the smbusers group. The settings for browsable and writable prevent other users from browsing home directories, while allowing full access to valid users.

    The [apps] section specifies a share named apps, which grants Windows users browsing and read-only permission to the /usr/local/apps directory.

  3. Allow incoming TCP connections to ports 139 and 445, and incoming UDP datagrams on ports 137 and 138 from the local network:

    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp --dport 139 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
      -m state --state NEW -m tcp --dport 445 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p udp \
      -m udp --dport 137 -j ACCEPT
    # iptables -I INPUT -s subnet_addr/prefix_length -p udp \
      -m udp --dport 138 -j ACCEPT
    # service iptables save

    where subnet_addr/prefix_length specifies the network address, for example 192.168.2.0/24.

    Add similar rules for other networks from which Samba clients can connect.

    The nmdb daemon services NetBIOS Name Service requests on UDP port 137 and NetBIOS Datagram Service requests on UDP port 138.

    The smbd daemon services NetBIOS Session Service requests on TCP port 139 and Microsoft Directory Service requests on TCP port 445.

  4. Start the smb service, and configure the service to start following a system reboot:

    # service smb start
    # chkconfig smb on

If you change the /etc/samba/smb.conf file and any files that it references, the smb service will reload its configuration automatically after a delay of up to one minute. You can force smb to reload its configuration by sending a SIGHUP signal to the service daemon:

# killall -SIGHUP smbd

Making smb reload its configuration has no effect on established connections. You must restart the smb service or the existing users of the service must disconnect and then reconnect.

To restart the smb service, use the following command:

# service smb restart

For more information, see the smb.conf(5) and smbd(8) manual pages and http://www.samba.org/samba/docs/.