红帽全球峰会第 1 章 Using Samba as a server
Samba implements the Server Message Block (SMB) protocol in Red Hat Enterprise Linux. The SMB protocol is used to access resources on a server, such as file shares and shared printers. Additionally, Samba implements the Distributed Computing Environment Remote Procedure Call (DCE RPC) protocol used by Microsoft Windows.
For more information refer to the:
-
smb.conf(5)man page on your system -
/usr/share/docs/samba-version/directory that contains general documentation, example scripts, and LDAP schema files, provided by the Samba project
You can run Samba as:
- An Active Directory (AD) or NT4 domain member
- A standalone server
An NT4 Primary Domain Controller (PDC) or Backup Domain Controller (BDC)
注意Red Hat supports the PDC and BDC modes only in existing installations with Windows versions which support NT4 domains. Red Hat recommends not setting up a new Samba NT4 domain, because Microsoft operating systems later than Windows 7 and Windows Server 2008 R2 do not support NT4 domains.
Red Hat does not support running Samba as an AD domain controller (DC).
Independently of the installation mode, you can optionally share directories and printers. This enables Samba to act as a file and print server.
The samba package provides multiple services. Depending on your environment and the scenario you want to configure, you require one or more of these services and configure Samba in different modes.
1.1.1. The Samba services
Samba services in Linux include smbd, nmbd, winbindd, and samba-bgqd. Understand their roles in file and printer sharing, name resolution, domain integration, and printer management.
Samba provides the following services:
smbdThis service provides file sharing and printing services using the SMB protocol. Additionally, the service is responsible for resource locking and for authenticating connecting users. For authenticating domain members,
smbdrequireswinbindd. Thesmbsystemdservice starts and stops thesmbddaemon.To use the
smbdservice, install thesambapackage.nmbdThis service provides host name and IP resolution using the NetBIOS over IPv4 protocol. Additionally to the name resolution, the
nmbdservice enables browsing the SMB network to locate domains, work groups, hosts, file shares, and printers. For this, the service either reports this information directly to the broadcasting client or forwards it to a local or master browser. Thenmbsystemdservice starts and stops thenmbddaemon.Note that modern SMB networks use DNS to resolve clients and IP addresses. For Kerberos a working DNS setup is required.
To use the
nmbdservice, install thesambapackage.winbinddThis service provides an interface for the Name Service Switch (NSS) to use AD or NT4 domain users and groups on the local system. This enables, for example, domain users to authenticate to services hosted on a Samba server or to other local services. The
winbindsystemdservice starts and stops thewinbindddaemon.If you set up Samba as a domain member,
winbinddmust be started before thesmbdservice. Otherwise, domain users and groups are not available to the local system.To use the
winbinddservice, install thesamba-winbindpackage.重要Red Hat only supports running Samba as a server with the
winbinddservice to provide domain users and groups to the local system. Due to certain limitations, such as missing Windows access control list (ACL) support and NT LAN Manager (NTLM) fallback, SSSD is not supported.samba-bgqd-
The Samba background queue daemon regularly updates the printer list with printers from CUPS. For print servers with multiple printers, run this daemon. It is managed by the
samba-bgqdsystemdservice. If it fails to run,rpcd_spoolssstarts it on demand.
1.1.2. The Samba security services
The security parameter in the [global] section in the /etc/samba/smb.conf file manages how Samba authenticates users that are connecting to the service.
Depending on the mode you install Samba in, the parameter must be set to different values:
- On an AD domain member, set
security = ads In this mode, Samba uses Kerberos to authenticate AD users.
For details about setting up Samba as a domain member, see Setting up Samba as an AD domain member server
- On a standalone server, set
security = user In this mode, Samba uses a local database to authenticate connecting users.
For details about setting up Samba as a standalone server, see Setting up Samba as a standalone server.
- On an NT4 PDC or BDC, set
security = user - In this mode, Samba authenticates users to a local or LDAP database.
- On an NT4 domain member, set
security = domain In this mode, Samba authenticates connecting users to an NT4 PDC or BDC. You cannot use this mode on AD domain members.
For details about setting up Samba as a domain member, see Setting up Samba as an AD domain member server.
When Samba services and client utilities load or reload configuration files, details triggers for automatic and manual reloads, and certain settings require a full service restart for configuration changes to become effective.
The following describes when Samba services and utilities load and reload their configuration:
Samba services reload their configuration:
- Automatically every 3 minutes
-
On manual request, for example, when you run the
smbcontrol all reload-configcommand.
- Samba client utilities read their configuration only when you start them.
Note that certain parameters, such as security require a restart of the smb service to take effect and a reload is not sufficient. For more information, refer to:
-
The
How configuration changes are appliedsection in thesmb.conf(5)man page on your system -
smbd(8),nmbd(8), andwinbindd(8)man pages on your system
1.1.4. Editing the Samba configuration in a safe way
Samba services automatically reload their configuration every 3 minutes. For details, see Scenarios when Samba services and Samba client utilities load and reload their configuration
To prevent that the services reload the changes before you have verified the configuration using the testparm utility, you can edit the Samba configuration in a safe way.
Prerequisites
- Samba is installed.
Procedure
Create a copy of the
/etc/samba/smb.conffile:# cp /etc/samba/smb.conf /etc/samba/samba.conf.copy- Edit the copied file and make the required changes.
Verify the configuration in the
/etc/samba/samba.conf.copyfile:# testparm -s /etc/samba/samba.conf.copyIf
testparmreports errors, fix them and run the command again.Override the
/etc/samba/smb.conffile with the new configuration:# mv /etc/samba/samba.conf.copy /etc/samba/smb.confWait until the Samba services automatically reload their configuration or manually reload the configuration:
# smbcontrol all reload-config
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}