• Configure Samba for a Workgroup in the local LAN (openSUSE Leap 4.21 et al)

    Introduction: This article shows how to configure Samba to share files to a Workgroup in the local LAN, and to receive files from other members of the Workgroup. Here is a list of topics covered:

    • Installation
    • The Samba configuration file
    • Make a copy (backup) of the default Samba config file
    • Reconfigure the [global] Stanza for use in a Workgroup
    • How to edit root-owned files like smb.conf
    • How to blank out unwanted Shares
    • How to Set up a Roaming Share (to share your personal Linux home files)
    • Create Credentials to allow access to Secure Shares (like the [homes] share)
    • How to Set up a specific secure Share for one user
    • How to Set up an insecure Share with Guest access for all users on the LAN
    • Configure the Firewall for Samba
    • Activate the Samba daemons
    • Modify the file nsswitch.conf to help Linux respond to pings from Windows
    • Comments


    Installation: Samba is usually installed by default. You can check that it exists with this console command:
    Code:
    rpm  -qa | grep samba
    A list of RPMs containing the word "samba" should appear in the console interface. If not, then you need to install Samba, perhaps using Yast:

    Go to Yast ==> Software ==> Software Management.
    Seach on samba and select to install samba, samba-client, samba-winbind, yast2-samba-server, yast2-samba-client.
    Also search on cifs to install cifs-utils.
    When you execute the installation, quite a few samba-based dependencies will come along too.


    The Samba configuration file (smb.conf located at /etc/samba/smb.conf)
    Code:
    [global]
        workgroup = WORKGROUP
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = Yes
    [homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
    [profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
    [users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
    [groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
    [printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
    [print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775


    The behaviour of Samba shares is controlled (almost entirely) by the constructs in the configuration file smb.conf located in the directory /etc/samba. The file on the left is a copy of the smb.conf file in openSUSE Leap 42.1. It doesn't vary much from one distro to the next, so this article should endure over time.

    The file is separated into so-called stanzas. The topmost stanza [global] contains the overarching instructions for all the samba shares. FYI the indents are totally unnecessary (just there for ease of reading).

    The series of stanzas underneath the [global] stanza each control one share. There are six such shares in the default configuration file, much more than most people would need. The six shares are included as templates and not intended to be "switched on" by all users.

    The fist task, then, is to rationalise the broad-based samba configuration file. This follows next.

    Make a copy (backup) of the default Samba config file.

    I always reserve a copy (backup) of the default config file as a handy reference re syntax of various bits and pieces. Occasionally I have needed to restore the original and start again.

    Run this console command to make an exact replica of the default file (except it will have the extension .original to differentiate it from the working/active file)
    Code:
    sudo cp /etc/samba/smb.conf    /etc/samba/smb.conf.original
    Reconfigure the [global] Stanza for use in a Workgroup

    Code:
    [global]
      workgroup = WORKGROUP
      passdb backend = tdbsam
      printing = cups
      printcap name = cups
      printcap cache time = 750
      cups options = raw
      map to guest = Bad User
      include = /etc/samba/dhcp.conf
      logon path = \\%L\profiles\.msprofile
      logon home = \\%L\%U\.9xprofile
      logon drive = P:
      usershare allow guests = Yes

    Code:
    [global]
      workgroup = WORKGROUP
      netbios name = some appropriate name
      server string = ""
      name resolve order = bcast host lmhosts wins
      local master = yes
      preferred master = yes
      os level = 65
      passdb backend = tdbsam
      printing = cups
      printcap name = cups
      printcap cache time = 750
      cups options = raw
      map to guest = Bad User
      usershare allow guests = Yes


    The extract on the left is the default and the item on the right is the workgroup-oriented version. In particular I have tweaked network "name resolution", and one or two smaller issues.

    In the RHS you must consider four of the lines and perhaps alter them to suit your particular situation. These lines:
    1. workgroup = WORKGROUP
    2. netbios name = some appropriate name
    3. server string = ""
    4. preferred master = yes

    Here's what to do with them:

    For #1: Check the name of the Workgroup as defined in the Windows and Linux computers in your LAN. They should be and must be identical. So alter the first of the three lines appropriately.

    For #2: The NetBios name will attach itself to the Icon representing your Linux server in the Network Browsers. So alter "some appropriate name" to a name of your choice (it can be a phrase).

    For #3: The Server String is attached to servers (in addition to the Netbios Names) when running various "net" views of servers (e.g. put some words in there and then reboot Linux and run the cmd line net view in windows to see the string, or the command smbtree -SN in Linux to see the string. For most cases the null name ( "" ) is adequate if netbios is switched on (as it is here). Normally you would accept this line as is.

    For #4: The preferred master is set to yes if this is the only sharing Linux computer in the Workgroup. If you have similarly configured Linux Samba members in the Workgroup, you would set your preferred member to yes and the others to be auto (on the RHS). If this confuses you, set them all to auto.

    How to edit root-owned files like smb.conf

    The files that need to be modified in this tutorial belong to root, so root powers are needed to edit them. I'll exemplify that by editing the file smb.conf which needs to be altered to make a linux host responsive to pings-by-name from windows machines.

    To edit it in KDE run this console command:
    Code:
    kdesu kwrite /etc/nsswitch.conf
    To edit it in Gnome run this console command:
    Code:
    gnomesu gedit /etc/nsswitch.conf
    Once you have the file open you can use a simple copy/paste process to change the [global] stanza. Use "copy" to get the text from the RHS code I placed above and paste it over the contents you see in your smb.conf file. Then uses File ==> Save to store the edited smb.conf file. Be sure to alter, if necessary, the four lines I have set out above.

    How to blank out unwanted Shares

    The default config file contains six [stanzas] that broadcast "shares" when you switch on the Samba daemons. They have been put there as templates, for reference purposes. You will certainly not need them all. Here are two handy methods for blocking out the ones you don't need. Start by running the kdesu-or-gnomesu method to edit the file, then:
    1. either simply delete any unwanted stanzas completely
    2. or put a # (hash) at the front of the [stanza] and the lines that belong to that stanza.

    Here's a before and after view of a hashed-out stanza:

    Code:
    [users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/

    Code:
    #[users]
    #   comment = All users
    #   path = /home
    #   read only = No
    #   inherit acls = Yes
    #   veto files = /aquota.user/groups/shares/


    If you need to restore a deleted or blocked [stanza] at a later time, for method 1 you can copy the full stanza from the backup file and paste it back into the working file, and for method 2 you can simply delete the hashes you have installed to block the stanza.

    I recommend the first version because it's very simple to delete a stanza and just as simple to paste it back from the backup file. IMHO the #-blocker method is messy.

    How to Set up a Roaming Share (to share your personal Linux home files)

    This share allows access to your Linux home file-system, entirely, e.g. if your Linux username is angetina, then the directory tree located at /home/angetina will be available, with full read/write permissions. It's called "roaming" because you can roam around the LAN and access your home on the Linux server from all computers (whether from windows or Linux). You need to supply your Linux username and Samba password to access the share (see next section about these credentials).

    Once you replace the [homes] stanza underneath the [global] stanza, like the example below, and reboot the Linux computer, then the [homes] share will be accessible (but only to you).

    Code:
    [homes]
    	comment = Home Directories
    	valid users = %S, %D%w%S
    	browseable = No
    	read only = No
    	inherit acls = Yes


    In Windows you can sometimes see the share as an icon named for your Linux username. Whether you see the icon depends on your transaction history with the server earlier that session. If you can see it, drill down into the share. If you can't see it then use an address like this in the Windows network browser: \\NetbiosName\linux_username.

    On the linux client you do not initially see the share as an icon as you sometimes do in Windows. Instead you always address the share in your browser by its netBIOS name; e.g. smb://NetbiosName/linux_username. You can use the IP address instead of "NetbiosName" in the address line. This is a fine share for users who like to keep their work on one server but access it from many machines.

    Create Credentials to allow access to Secure Shares (like the [homes] share)

    Samba maintains a list a list of credentials for Samba users. You can only add users into the Samba user database if they already exist as Linux users on the server. You can use any password you like as the Samba password, it does not have to be the same as the user's Linux Logon password. You would need a username's Samba password to exist in the samba user database before you could access a secure share like the roaming share above or william's more specific share outlined in the next section below.

    To check who's already in the database, run this terminal command:
    Code:
     sudo pdbedit -L
    To add members. e.g. angetina, issue this command in a terminal:
    Code:
    sudo smbpasswd -a angetina
    To remove members. e.g. william, issue this command:
    Code:
    sudo smbpasswd -x william
    How to Set up a specific secure Share for one user

    Scenario: A Linux user with username william creates and shares a specific directory (e.g. named shared_directory) at location /path_to/shared_directory. The intention is that only the users who know the username "william" and the associated Samba password can access the share.

    Code:
    [WilliamsShare]
            /path_to/shared_directory 
    	valid users = william
    	read only = No
    	force user = william



    The shared_directory can be anywhere in the normal Linux file system. User william has added a password in the Samba database. The directory should be made by user william (or chown ownership over to william). The [stanza] on the left will enable william (and only william) to access the shared directory from within the LAN.


    How to Set up an insecure Share with Guest access for all users on the LAN

    Scenario: A Linux user with username william creates and shares a specific directory (e.g. named shared_directory) at location /path_to/shared_directory. The intention is that every person who accesses the LAN can access the files in the directory without needing any credentials.

    Code:
    [WilliamsShare]
            /path_to/shared_directory 
    	guest OK = yes
    	read only = No
    	force user = william


    The shared_directory can be anywhere in the normal Linux file system. The directory should be made by user william (or chown ownership over to william). The [stanza] on the left will enable everyone to access the shared directory from within the LAN and create, edit or delete files inside.
    Compare the coding of these two shares: only one line was changed to achieve the guest access (change valid users = william to guest OK = yes).


    Configure the Firewall for Samba

    Use Yast to configure the Firewall:

    Set your network interface: Go To Yast ==> Security & users ==> Firewall ==> Interfaces ==> set network Device to External.

    Set your network services: Go To Yast ==> Security & users ==> Firewall ==> Allowed Services ==> set these allowed services: Netbios server, Samba client, Samba server.


    Activate the Samba daemons

    You can turn Samba on permanently in Yast (and if you like, turn it off there too).

    Go To Yast ==> System ==> Services ==> locate/scroll to nmb (Samba NMB daemon) ==> set to "enabled" and "active".

    And similarly for smb, at the same time use the same method to set the smb daemon to "enabled" and "active".


    Modify the file nsswitch.conf to help Linux respond to pings from Windows

    The file nsswitch.conf resides on the path /etc/nsswitch.conf. Edit the file using the root-based method I described immediately above, using e.g. gnomesu or kdesu.

    Locate the following line:
    Code:
    hosts:      files  mdns_minimal  [NOTFOUND=return]  dns
    Change it to this:
    Code:
    hosts:      files  mdns_minimal  [NOTFOUND=return]  dns  wins
    Then save it back to the original (File ==> Save).

    Comments and questions

    I've provided for comments and questions to this thread in the Network Forum: https://forums.opensuse.org/showthre...-the-local-LAN