Samba installation

First we assume that you know something Samba, and it has been installed on your server.

If not, the quick installation method is:

Debian: Apt-Get Install Sambaredhat (Mandrake): rpm -vih / mnt / cdrom / redhat (mandrake) / rpms / samba *

Profile: General setting

Samba uses a single profile, this file you can find some markups like this: [Global]

Samba has only one profile!

[global]

Printing = BSD

PrintCap Name = / etc / printcap

Load Printers = YES

Guest account = pcguest

Log file = /usr/local/samba/log.%M

[TMP]

Comment = Temporary File Space

PATH = / TMP

oud all = yes

Public = yes

If you use this configuration file to run Samba, on your LAN, those Windows machines can find a TEMP directory in their network neighbors to find a TEMP directory, and write Into.

Note: Once you update the Samba configuration file, you have to recover your Samba by using /etc/init.d/samba restart (debian).

Profile, "Advanced" parameters

First let's take a look at these parameters:

[global]

NetBIOS Name: You can specify the NetBIOS name of your Samba server. This name can be seen by a network neighbor through the Windows machine. If you don't specify, Linux will use its own network name as a NetBIOS name. Invalid Users: The user name list of Samba is not allowed. For example, "root" should not be allowed to access SAMBA. Interfaces: If your Linux server has more than one network card, you want to limit only one network available. Security: Available security mode. If you use security = User, you will require an account on the GNU / Linux server if you don't need a Samba server to manage users, and it is planned to let everyone use the same shared resource, which can be set to: security = share. Workgroup: The name of the workgroup where your Linux server is located. Server String: Simple description of your Linux machine (some strings). Socket Options: Used to regulate the Samba server and let him have a list of fine options. Depending on the situation. Encrypt Passwords: Do you have to use an encrypted port? You must understand that (almost) Every Windows system has different laws! WINS Support: Your Linux server needs to work in WINS? OS Level: OS Level Specifies which server will become a domain controller (Domain Master), a local controller, and so on. Domain Master: Specifies Samba as the primary domain server Local Master: Specifies Samba as a Local Master Server Preferred Master: If there is any other server exists, is Samba a preferred one? Domain Logons: Can Samba manage connection control over a domain? Logon Script: Which script is run when this user starts a session? Logon Path: Where is the startup script file? Logon Home: Where to store user profile? Name Resolve Order: How to use the resource order in the order to query the machine name in the network? DNS Proxy: Does the Samba server are also used as DNS proxy servers? PRESERVE CASE: Keep the file name. Short Preserve Case: Keep the file name. Unix Password Sync: Do you need synchronization of Unix and Windows passwords? Passwd Program: Which program is used to make a password. PASSWD CHAT: What "Agreement" is used to make a password. Max log size: The maximum size of the log file. Section [NetLogon] specifies where Netlogon is.

Section [Profiles]

User Profile file section.

Section [homes]

User Home Directory.

Samba variable

Variable Description Client Variable% A Client System: For example: Win95, WFWG, WinNT, Samba ...% i client IP address% M client NetBIOS name% M client DNS user variable% g user% u main group % H User% U Home Directory% UUnix Current Username Sharing Variable% P Current Shared Root Capital Real Sign Period Current Shared Name Server Variable% Hsamba Server DNS Name% Lsamba Server NetBIOS Name% VSAMBA Version Other Variable% T Current Date and time

Examples of using these variables: If there are some machines in your network running Windows 3.11 and Windows98, you can create two profiles, use one for each system, then% a variables can be used.

Result: Our profile

[global] printing = bsdprintcap name = / etc / print = Nobodyinvalid users = root; Remove its NetBIOS name netbios name = pantoufle; it listens to the network; (you don't need him Another network is also serving it, because that is the Internet join) Interfaces = 192.168.0.1/255.255.255.0; Security User means that each user must have a UNIX account security = user; this machine belongs to which work group belongs to? Workgroup = rycks; server brief description, can be seen when seeing details;% h is the server's DNS name,% V Samba version number server string =% h server (samba% v); we use Samba's own log Document, not only use syslogslog online = NO; at least important information should be written to syslog,; other information will write / var / log / SMB (NMB) / syslog = 0; um, adjust the performance! Socket Options = iptos_lowdelay tcp_nodelay so_sndbuf = 4096 so_rcvbuf = 4096; use an encrypted password, pay attention,; each W95 client must hit the MS SMB security patch. NT4 must be hit SP3 or higher; I don't remember the situation of W3.11: It is very likely that it does not support encryption password: (Encrypt Passwords = YES; this Server is also a WINS server.; WINS allows two networks Different IP segments; (such as 192.168.0.55.255.255.0 and 192.168.0.1/255.255.255.0); seeing the "additional" network sharing resources in each other, once the gateway Gateway activates .wins support = yes; OS level. For example Server is a domain controller, locally logged in, so if there is a NT server in the network, our level should be "higher" .os level = 34; domain management Domain master = YESLOCAL MASTER = yespreferred master = yes; domain connection management Domain logons = yes; When a user logs in, what script is running?;% G Point to the main group of the user Logon script =% g.bat; where can we find our script?;% l is the NetBIOS name of the Samba server Logon Path =% L ETLOGON; where to store user's Profile ?;% U user login logon home =% L% UWINPROFILE; to check resources to find the machine name? In which order check the resources to find THE NAME OF A MACHINE? At attention, unlike Windows to send broadcasts on a normal basis, our broadcast is final.

Name resolve order = lmhosts host wins bcast; whether Samba must operate in DNS Proxy? DNS proxy = NO; Keep its file name and case preserve case = yesshort preserve case = yes; we must synchronize the password of Windows and Linux? Unix password sync = yes; how to synchronize password passwd program = / usr / bin / passwd% uPasswd chat = * EntersnewsunixScassword: *% n * retypesnewsunixsPassword: *% n.; Log file's maximum size, prevent / var directory: PMax log size = 1000; We are time server: used to synchronize the time of each machine; use this feature by logging in .bat file. Time Server = YES; Specify the location of Netlogon. This will only be used when logging in; so we don't have to make it open. [Netlogon] Path = / home / Netlogon /% GPUBLIC = NOWRITEABLE = NobrowSeable = NO; Each user's home directory [homes] comment = home directoriesbrowseable = no; he can write, right. Read online = NO; Default UNIX umask.create mask = 0700; based on security purposes, this directory is set to 700Directory mask = 0700; sharing FTP, so you can use a special client to be in; network neighbors used [ FTP] path = / home / ftp / pubpublic = yesprintable = NOGUEST OK = yes; temporary directory [TMP] path = / tmppublic = yesprintable = NOGUEST OK = yeswritable = yes; another temporary directory; provided to a specific need for special Space users [bigTemp] path = / home / bigTemppublic = yesprintable = noguest ok = yesvalid users = ericswritable = yes Now, we are in the server

Simply look, what should we do on the server:

Each user an account SMB.CONF file A directory / home / Netlogon (like the one in my example) should have a .bat file in each user group in this directory (example here) a config.pol file Provide system security policies (also in this directory) config.pol file, find Poledit.exe to find Poledit.exe in Windows CD.

NET USE P: PanTouflehomes

NET USE T: PANTOUFLE MP

NET Time PanToufle / SET / YES

NET USE P: PanTouflehomes

NET USE T: PANTOUFLE MP

Net Time PanToufle / SET / YESREGEDIT / S PANTOUFLE

ETLOGON Eachers.Reg

NET USE P: PanTouflehomes

NET USE T: PANTOUFLE MP

NET Time PanToufle / SET / YES

Regedit / s PanToufle

ETLOGONPUPILS.REG

[HKEY_CURRENT_USERSEFTWAREMICROSOFTWINDOWS

CurrentVersionExplorer Shell Folders]

"Personal" = "P:"

[HKEY_CURRENT_USERSEFTWAREMICROSOFTWINDOWS

CurrentVersionExplorer Shell Folders]

"Personal" = "P:"

This file allows automatic mount users personal directory to P: The temporary directory is hidden to T:. At the same time, the system time is also synchronized with the Samba server.

Tip: The format of .bat file must be "DOS mode". The best is to generate this file in Notepad, then put it on the server.

Develop System Security Strategy (C) (TM) (R)

Use domain controllers to make Windows safe

That is the title! Of course, I borrowed from MS about the documentation of their system security policy tool.

Therefore, in order to create a Windows system policy, such as preventing certain users (all?) From running regedit or DOS programs, you have to use POLEDIT above the Windows98 CD.

Run POLEDIT to view its help, write down related information ... This article doesn't intend to teach you how to use private software.

Once you are ready .pol file, copy it to the Samba server, which is in the path specified in [NetLogon].

Note: For the W9X client, the system policy file must be config.pol ... As for WindowsNT, it should be another name, because I don't have NT can't tell you: '(Ha, don't give me a NT to let me test. In short Thank you very much, your conscience is great: o)

Tip: POLEDIT allows you to create user groups and users, but we have not succeeded. Only by default users are put in the account.

For example, if I created a "admin" group with POLEDIT, when the user is connected as "ERICS", it is allowed to run the regedit (his main group is "admin"), I have no way to run regedit :(

However, creating a "Erics" user with POLEDIT is working very well.

Because I feel that it is very powerful in building 1056 users using POLEDIT, and the global user management looks more interesting, we "suggest" some of the techniques:

For this matter, we have solved a few questions: make three config.pol files to the default user, so we also have: /Home/netlogon/teachers/config.pol/Home /NETLOGON/TEACHERS/teachers.bat/home/netlogon/pupils/config.pol/home/netlogon/pupils/pupils.bat/home/netlogon/admin/config.pol/home/netlogon/admin/admin.bat This The SMB.conf file has been modified in: [NetLogon]; use% G variable to specify Netlogon to give different user directories for different user groups; so that users can correctly correspond to him CONFIG.POL file. Path = / home / Netlogon /% GPUBLIC = NOWRITEABLE = NobrowSeable = no

Windows machine configuration

If you are lucky, click 20 mouse, then restart enough to configure Windows!

Win98 client

Click the start / setup / control panel and then double-click the network (the translation: I am sorry, I haven't used Win9x for a long time, I rely on the corresponding name of memory translation, I don't have time to get into, everyone is always waiting)

installation:

MS NetWork Network Card Driver TCP / IP Support and Only TCP / IP (No ipx or netbios) Files and Printers Sharing

Then click "Identification" Tab and fill in the workgroup name where the machine name and the machine are located.

Click "Access Control" and select User-Level Access Control

Go back to the Configuration Tab then double-click "Client for MS Network"

Don't forget to configure TCP / IP support: Double click: TCP / IPIP address:

You want this machine IP (EX: 192.168.0.0.2) subnet mask (EX: 255.255.255.0) WINS configuration:

Activate WINS to join the WINS server, IP 192.168.0.1 (Suppose your Samba server is this address) Gateway: If you have a gateway, you specify DNS configuration here: Configure your DNS

About "Tuning / Performance / Good Sense?"

In the work, the bottleneck is quickly displayed because of the use of Windows Profile.

In fact, Profile is filled with things that the MS thinks is important, such as the Cache, Outlook Cache, etc. of IE.

Simply put, this means that whenever the user is connected or disconnected, it will be downloaded or uploaded (my profile is very standard, there is a desktop background, IE, Outlook Cache ...).

Each user is 10MB in a place with 15 machines ("General" laboratory size), it will be used off 150MB. If this floor has 10 such places ... When you count, you will look at the bell rang. How many users are leaving.

Now you can get the result, then run 5 minutes in advance ... (Well, I have to admit that I have done it when I read) ... I have more than 5 minutes. Just like a big city, the big running time is either 10 minutes earlier, or two hours later! Therefore, according to the strategy you implement, hook each user home directory to the P: (as an example, P represents people, personal), and tell them "to save your document to P, don't put it 'My Inside the document, otherwise the file will be lost ", this should be a good way.

Next, you have to find a software, let it configure this: put the book to P: Ookmarks.html, etc.

I don't even know if there is such a thing in the Windows world!

If you know such a solution, write down, share knowledge ~

Questions and suggestions

In the same domain, if there may be multiple working groups, how to manage it, will it happen between GNU / Linux Samba? Is It Possible to have Various Workgroups on the Same Domain, How Can This BE MANAGED, IS IT POSSIBLE TO SHARE THE PROBLEEEN VARIOUS GNU / Linux Samba? (This sentence is bigger, still left, derived).

How do I use NT and Samba servers at the same time?

NT client configuration: config.pol file There is another name below NT.

When only Samba servers (no NT) a real problem: I work on W98 and I want to share my local resources, such as my printer:

Display my printer sharing status

Next click to add

Hot News: Someone gave me a solution. Select "Resource Level Access Control" when Windows Control.

thank

Bruno made a school pair and gave some other help before: o)

JohnPerr urged me to write my first article in Linuxfocus, and translated this article into English. Michel Billaud Aka MIB gives a solution on our question, and also teaches some tips, such as Strace, etc.: o) Etienne, éric, and a friend I forgot to have forgotten (apologized for this . Thank you for sharing your knowledge in NT servers. Jean Peyratout, do you need to say why? This will spend a lot of time. The Abul Generally Speakingrycks gives me time and resources to develop and write documents for free software.

Reference

O'Reilly online books: http://www.oreilly.com/catalog/samba/chapter/book/index.html

The latest version of this document can be found in the rycks.com documentation section.

(Posted from: www.linuxfocus.org, Author: Éric Seigne translation: white-cn)