分类: 服务器与存储
2010-01-06 17:19:53
SMB.CONF(5) SMB.CONF(5)
NAME
smb.conf - Samba组件的配置文件
总览 SYNOPSIS
smb.conf是Samba组件的配置文件,包含Samba程序运行时的配置信息.smb.conf被设计成可由swat (8)程序来配置和管理.本文件包含了关于smb.conf的
文件格式和可能出现的选项的完整描述以供参考.
文件格式 FILE FORMAT
本文件由一系列段和选项构成.一个段由一对方括号中的段名开始,直到下一个段名结束.包含在段中的选项按以下格式定义:
选项名 = 选项值
本文件是基于文本行的.这就是说,每一个以换行符结束的行描述了一个项目(注释,段名,或选项).
段名和选项名是不区分大小写的.
只有选项设置中的第一个等号才有意义.第一个等号前后的空格会被忽略.段名和选项名的前后以及中间包含的空格是无关的.选项值前后的空格会被忽
略.选项值中包含的空格会原样保留.
所有以’;’和’#’符开头的行都会被忽略,就象只有空格的行那样.
按照UNIX上的惯例,以’′符号结尾的行续下一行.(也就是说:’′是续行符,如果一行写不下,可以在行尾以’′结束,在下一行继续写--译注)
等 号后面跟的是字符串(无需引号)或者逻辑值(可以是yes/no,1/0,或者true/false 来表示).逻辑值是不区分大小写的.字符串值则原样保留了输入的
大小写.某些选项 (例如create modes)的值是数值型的.
段描述 SECTION DESCRIPTIONS
配置文件的每一段([global]段除外)描述一项共享资源.段名就是共享名,段内的选项设置确定了该共享资源的属性.
三个特殊段([global],[homes],[printers])将在后面’special sections’单独说明,以下的内容是普通段的说明.
一个共享资源由一个文件目录和用户对此目录的操作权限的说明构成.另外,还列入了一些用于内部管理的选项.
每一段定义了一项文件服务(客户端可以把它看作其本机文件系统的延伸)或打印服务(客户端可以通过它来使用服务器提供的打印服务).
段可以定义成guest服务类型,在这种情况下,客户无需口令就可以访问该资源.一个特定的UNIX系统下的guest account通常用来指定这种情况下的客户
访问权限.
除 了guest服务类型以外,其他类型的段定义的共享资源都需要口令才能访问.用户名是由客户端提供的.由于某些老的客户端只提供口令,没有用户名,
你需要在共享定义中使用"user="选项来指定一个用户列表,以便根据这个用户列表进行口令验证.对于象Windos95/98和WindowsNT这样的现代客户端程
序,这个选项是不需要的.
注意,对于资源的操作权限还取决于主机系统赋予指定用户或来访者账户的权限.samba提供的服务权限不能超出主机系统指定的权限范围.
下面的示范段定义了一项文件服务,用户拥有对/home/bar目录进行写操作的权限.这个共享资源是通过共享名"foo"来访问的.
[foo]
path = /home/bar
read only = no
下 面示范段定义了一项打印服务,此共享资源是只读的,但是可以进行打印操作.也就是说,唯一允许的写操作只能是打开、写入并关闭一个打印假脱机
文件.其中的guest ok选项定义意味着允许以缺省的guest用户(在别处定义的)权限进行访问.
[aprinter]
path = /usr/spool/public
read only = yes
printable = yes
guest ok = yes
特殊段 SPECIAL SECTIONS
[global] 全局选项段
这一段中定义的选项是服务器的全局性设置,如果在其他段中没有再对这些选项进行重新设置的话还可以作为它们的缺省选项. 更 多 的 说 明 请 参
阅’PARAMETERS’部分的内容.
[homes] 个人目录段
如果配置文件中包含名为’homes’的段,就可以建立客户到自己在服务器上的个人目录的连接.
当服务器收到连接请求时,首先在已定义的段中搜索,如果段名与被请求的共享资源名一致,则该段的内容就被采用.如果没有找到匹配的段,则被请求的
资源就被当作是一个用户名,同时服务器查看本地的口令文件.如果该用户名在口令文件中存在且用户给出了正确的口令,服务器就会复制[homes]段 的
内容来生成一个共享资源(供该用户访问).
对新建共享会做以下修改:
共享名从’homes’改为查到的用户名.
如果没有指定访问路径,则设置为该用户的个人目录.
如果要在[homes]段中定义访问路径path=,宏%S也许对你很有用.举例如下:
path = /data/pchome/%S
如果你的PC 有与UNIX服务器上个人目录不同的目录,象上面这样的设置会很有用的.
这是为大量用户提供对他们个人目录的访问的一种快速简洁的办法.
如果被请求访问的共享资源名就是’homes’,那么,除了共享名不被改变为发出请求的用户名外,其他处理过程和前面提到的过程是类似的.这种方式适合
于不同用户共享一台终端的情况.
在[homes]段中可以定义所有普通段中可以使用的选项,可是有些选项更有意义.下面是一个实用的、典型的[homes]段的例子:
[homes]
read only = no
注意,很重要的一点是:如果在[homes]段中定义了允许以guest账户访问的话,任何人都可以无须口令而访问所有账户的宿主目录.也许在某些特殊情况
下,这正是想要的结果,在这种情况下,你最好同时把[homes]段设置成只读.
注 意,自动的宿主目录共享资源的可浏览标志是从[global]段继承来的,而不是[homes]段.这样,当在[homes]段中设置browseable=no时,用户就看不到
单独的’homes’共享,但可以看到自动的宿主目录.
[printers] 打印机共享设置段
这一段很象[homes]段,不过是用于设置共享打印机的.
如果在本配置文件中存在[printers]段,用户就可以连接到在主机上的printcap文件中指定的任一打印机.
当服务器收到连接请求时,首先在已定义的段中搜索,如果有段名与被请求的共享资源名一致,则该段的内容就被采用.如果没有找到匹配的段,且在配置
文 件中存在[homes]段,则按照前面所说的方式处理.否则,被请求的资源就被当作是一个打印机名,服务器在适当的printcap文件中查找,检验被请求的
共享资源名是否是有效的打印机共享名.如果共享名匹配,服务器就会复制[printers]段的内容来生成一个共享打印服务.
对新建共享的修改:
共享名被设置为查找到的打印机名.
如果未给出打印机名,则把打印机名设为前面查找到的打印机名.
如果该共享资源不允许以guest身份进行访问,且没有给出用户名,那么用户名就被设为前面查找到的打印机名.
注意,[printers]段必须设置为可打印,如果你不这样设置,服务器会拒绝装载配置文件.
指定的典型路径应该设为一个公用的可写假脱机目录(spooling)并且设置sticky标志.一个典型的[printers]段如下所示:
[printers]
path = /usr/spool/public
guest ok = yes
printable = yes
上台打印机在printcap文件中列出的所有别名都是服务器相关的有效打印机名.如果你系统的打印子系统的工作方式不是这样,你就必 须 设 置 一 个
伪printcap文件,其中包含一行或多行如下格式的设置:
别名1|别名2|别名3|别名4...
每 个别名必须是你的打印子系统可以接受的打印机名.在[global]段中指定这个新文件作为你的printcap文件.这个伪printcap文件可以包含任何你要
的别名,而服务器只识别在此文件中列出的名字.这个技术可以很方便的用于限制对本地打印机子集的访问.
顺便提一下,printcap文件中的别名用每个记录第一项的任何部分来定义.记录由换行进行分隔.如果一条记录中有多个部分,中间用"|"符号分隔.
Note
注意,在SYSV系统中,用lpstat可以确定系统中安装了什么样的打印机.你可以设置"printcap name = lpstat"来自动获得打印机列表.详 情 参
见"printcap name"选项.
选项 PARAMETERS
选项定义了每个段的属性.
有 些选项是在[global]段中设定的(比如有关安全特性的设置),有些可以用在任何段中的(比如建立方式 ),剩下的就只能用在普通的段中了.在以下的
描述中,[homes]和[printers]段被看作是普通段.标记(G)表示此选项只能在[global]段中使用,标记(S)表示此选项可以在服务定义段中使 用. 注 意,
有(S)标记的选项也可以用在[global]段中,在这种情况下,这个选项设置被当作所有其他段的缺省设置.
选 项的详细说明是按照字母顺序排列的,这样也许不是最好的分类方式,但至少保证你可以找得到他们.如果有多个同义词,那么我们只对首选的那个作
详细说明,其他的同义词都只指明参阅那个首选的选项名.
变量替换 VARIABLE SUBSTITUTIONS
在配置文件中可以用很多字符串进行替换.例如,当用户以john的名称建立连接后,选项"path = /tmp/%u"就被解释成"path = /tmp/john".
这些置换会在后面的描述中说明,这里说明一些可以用在任何地方的通用置换.它们是:
%U 对话用户名(客户端想要的用户名不一定与取得的一致.)
%G %U的用户组名
%h 运行Samba的主机的internet主机名
%m 客户机的NetBIOS名(非常有用)
%L 服务器的NetBIOS名.这使得你可以根据调用的客户端来改变你的配置,这样你的服务器就可以拥有"双重个性".
Note that this parameter is not available when Samba listens on port 445, as clients no longer send this information
%M 客户端的internet主机名
%R 协议协商后选择的协议,它可以是CORE,COREPLUS,LANMAN1,LANMAN2或NT1中的一种.
%d 当前samba服务器的进程号.
%a 远程主机的结构.现在只能认出来某些类型,并且不是100%可靠.目前支持的有Samba、WfWg、WinNT和Win95.任何其他的都被认作"UNKNOWN". 如
果出现错误就给samba-bugs@samba.org发一个3级的日志以便修复这个bug.
%I 客户机的IP地址.
%T 当前的日期和时间.
%D Name of the domain or workgroup of the current user.
%$(envvar)
The value of the environment variable envar.
The following substitutes apply only to some configuration options(only those that are used when a connection has been estab‐
lished):
%S 当前服务名
%P 当前服务的根目录
%u 当前服务的用户名
%g %u的用户组名
%H %u所表示的用户的宿主目录
%N tNIS服务器的名字.它从auto.map获得.如果没有用--with-auto-mount选项编译samba,那么它的值和%L相同.
%p 用户宿主目录的路径.它由NIS的auot.map得到.NIS的auot.map入口项被分为"%N:%p".
灵活运用这些置换和其他的smb.conf选项可以做出非常有创造性的事情来.
NAME
Samba支持"名称修正",这样dos和windows客户端就可以使用与8.3格式不一致的文件.也可以用来调整8.3格式文件名的大小写.
有一些选项可以控制名称修正的执行,下面集中列出来.对于缺省情况请看testparm程序的输出结果.
所有这些选项都可以针对每个服务项单独设置(当然也可以设为全局变量).
这些选项是:
mangle case = yes/no
作用是控制是否对不符合缺省写法的名称进行修正.例如,如果设为yes,象"Mail"这样的文件名就会被修正.缺省设置是no.
case sensitive = yes/no
控制文件名是否区分大小写.如果不区分的话,Samba就必须在传递名称时查找并匹配文件名.缺省设置是no.
default case = upper/lower
控制新文件名大小写缺省值.缺省设置是小写.
preserve case = yes/no
控制建新文件时是否用客户所提供的大小写形式,或强制用缺省形式.缺省为yes.
short preserve case = yes/no
控制新建8.3格式的文件名时是全部用大写及合适长度,还是强制用缺省情况.它可以和上面的"preserve case = yes"联用以允许长文件名保持
大小写不变,而短文件名为小写.本项的缺省设置是yes.
缺省情况下,Samba3.0与Windows NT相同,就是不区分大小写但保持大小写形式.
用户名/口令检验中的注意事项 NOTE ABOUT USERNAME/PASSWORD VALIDATION
用 户有多种连接到服务项的方式.服务器按照下面的步骤来确定是否允许客户对指定服务的连接.如果下面步骤全部失败,则拒绝用户的连接请求.如果
某一步通过,余下的检验就不再进行.
如果被请求的服务项设置为guest only = yes,并且,服务运行在共享级安全模式(security = share) ,则跳过1--5步检查.
第一步:
如果客户端提供一对用户名和口令,且这对用户名和口令经unix系统口令程序检验为有效,那么就 以 该 用 户 名 建 立 连 接. 注 意, 这 包 括
用serverservice%username方式传递用户名.
第二步:
如果客户端事先在系统上注册了一个用户名,并且提供了正确的口令,就允许建立连接.
第三步:
根据提供的口令检查客户端的netbios名及以前用过的用户名,如匹配,就允许以该用户名建立连接.
第四步:
如果客户端以前有合法的用户名和口令,并获得了有效的令牌,就允许以该用户名建立连接.
第五步:
如 果 在smb.conf 里 设 置 了"user = "字段,且客户端提供了一个口令,口令经UNIX系统检验,并与"user="字段里某一个用户匹配,那么就允许
以"user="里匹配到的用户名建立连接.如果"user="字段是以@开始,那么该名字会展开为同名组里的用户名列表 .
第六步:
如果这是一个提供给guest用的服务项,那么连接以"guest account ="里给出的用户名建立,而不考虑提供的口令.
fhc2007@fhc2007-desktop:~$ cat /etc/samba/smb.conf
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
; wins support = no
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
# What naming service and in what order should we use to resolve host names
# to IP addresses
; name resolve order = lmhosts host wins bcast
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = true
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
; syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
; security = user
# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
obey pam restrictions = yes
; guest account = nobody
invalid users = root
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan < for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn *passwordsupdatedssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how nsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
# Is this machine able to authenticate users. Both PDC and BDC
# must have this setting enabled. If you are the BDC you must
# change the 'domain master' setting to no
#
; domain logons = yes
#
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of the user's profile directory
# from the client point of view)
# The following required a [profiles] share to be setup on the
# samba server (see below)
; logon path = %Nprofiles%U
# Another common choice is storing the profile in the user's home directory
; logon path = %N%Uprofile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
; logon home = %N%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
########## Printing ##########
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
; load printers = yes
# lpr(ng) printing. You may wish to override the location of the
# printcap file
; printing = bsd
; printcap name = /etc/printcap
# CUPS printing. See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
; printing = cups
; printcap name = cups
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
; domain master = auto
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
# The following was the default behaviour in sarge,
# but samba upstream reverted the default because it might induce
# performance issues in large organizations.
# See Debian bug #368251 for some of the consequences of *not*
# having this setting and smb.conf(5) for details.
; winbind enum groups = yes
; winbind enum users = yes
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 (default) means that usershare is disabled.
; usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as serverusername
;[homes]
; comment = Home Directories
; browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
; read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
; create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
; directory mask = 0700
# By default, serverusername shares can be connected to by anyone
# with access to the samba server. Un-comment the following parameter
# to make sure that only "username" can connect to serverusername
# This might need tweaking when using external authentication schemes
; valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
; share modes = no
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
; write list = root, @ntadmin
# A sample share for sharing your CD-ROM with others.
;[cdrom]
; comment = Samba server's CD-ROM
; read only = yes
; locking = no
; path = /cdrom
; guest ok = yes
# The next two parameters show how to auto-mount a CD-ROM when the
# cdrom share is accesed. For this to work /etc/fstab must contain
# an entry like this:
#
# /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0
#
# The CD-ROM gets unmounted automatically after the connection to the
#
# If you don't want to use auto-mounting/unmounting make sure the CD
# is mounted on /cdrom
#
; preexec = /bin/mount /cdrom
; postexec = /bin/umount /cdrom