Obviously the specifics of how things are set up will depend a lot on how your systems are set up and what you want. I will tell you about my network, what I have set up at this time and why and how I did it. Hopefully if enough of us list what we have set up and why and how, you will get some good suggestions that you can use.
While I have used this same basic setup in an office setting before, I currently work from home and find that the users there seem to be even more of a pain in the neck and demanding that things work smoothly.
I have a screening router that sits just inside my Internet connection. It is connected directly to a router/server. This router/server is connected to two networks. One (192.168.1.0) houses two main windows work computers (one XP home and the other XP Pro) as well as at various times, laptops, test machines, Tivo, family and friends computers I may be in the process of restoring, cleaning, troubleshooting, etc...
The second (192.168.2.0) (while not really important to this story) is strictly for my phone system. It contains its own mini-switch, an Asterisk server / router and currently one, 2 port phone adapter (Sipura SPA 2000). The asterisk server / router also connects out to my screening router to provide a clean path to the world for VOIP phone calls.
The main focus of samba for me is to allow access to 'important' data from any machine on my network. Among other things, I have a share for my music, my home website, my web photo gallery, and commonly installed programs. This allows me to do important things such as, play my music or drop new pictures from my digital camera directly to my web site, from any machine. One of the more important things it does, is let me to keep handy anti-spam software, e-mail clients, up to date browsers, etc... for installation onto fresh machines. This allows me to keep the newly installed or restored machines from having to visit the Internet until after I have installed a few basic tools. Granted, they still have access to it and if my firewalls let an attack through, then the machine is hosed anyway but, at least I do not have to send the machine out looking for trouble.
One thing that keeps me from using Samba to store 'live data' (my browser bookmarks, often used OpenOffice
Documents, etc...) is that, for my main contract, I have to use a VPN. My client will not activate split tunneling on this service. In effect this means that as long as I am working, every packet my machine sends out travels through the tunnel over the Internet to my clients server and then out to the Internet. Since I do not allow samba access from the Internet (not to mention that it would be very slow) I am shut out.
Enough BS already! Show me the configs!
Ok after a base install of samba in debian testing (called 'etch' now) I made a few changes to the base config. Actually I renamed it to smb.conf.old and started fresh. I have attached my working config file for you to look over.
Here are a few notes from that file.
- encrypt passwords = yes
- this is the default in windows. Without this windows will encrypt and samba will not which means that the passwords will never match when you try to log in.
- wins support = yes
- this makes samba a WINS server where as 'wins server=' makes it use an existing server on your network.
- server string=%h server (Samba %v)
- this is a small description of the server. %h=hostname %v=version
- socket options - IPTOS_LODELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
- not 100% sure what this does. I could look up what each of the flags are (they look fairly self explanatory) but have not done so. I found it as a suggestion on a web page somewhere so I tried it. Shares seem to be faster but that may just be in my head.
- [homes] this section lists the defaults for the home directory's. For instance, when I log in I have a share called james that points to my home directory on the samba server. This is automatic. If somebody else loges in, their home directory will be available.
- [CD Tower] this is the start of a cd tower. pretty much what you do is rip ISO's of your cd-roms and then mount them and share them. This can eliminate having to shelp cd's all over the place.
- in general (as you can see) you put the name of the share in brackets [whatever] below that you have a 'path = ' statement that points to a location on your samba server that will be displayed when a windows user visits the share. You can then provide options such as 'read only' or whether or not this share is browseable in network neighborhood, 'comment=' for a comment that will show up in windows when you browse the share, etc...
At this point I used smbpasswd to create users and passwords that matched our (my wife and I) windows logins. You may want to do that as well (I will send you our requested login names and passwords...just kidding, obviously substitute your users for my wife and I) or just create a single tech login.
If you are going to want to make use of the automatic home dir's, you may want to create individual users on your Linux box for each of the people you want to have access to the shares and then run:
- cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
- this makes a samba user for each of your Linux users and sets their password.
- this can be put into a cron file so that new users are set up automatically
- in theory you can also use the pam_smbpass PAM module to keep samba and unix passowrds in sync, but I never have.
Now that everything is set up /etc/init.d/samba restart ('reload' should work but I feel better with a full restart.)
You are all set. That gets your directories shared from Linux to windows.
To back up the directories, either map them as a drive and back them up using your existing backup solution (probably the simplest but will cause a big draw on the network since you are pulling all of that data from the server to your computer and from there to the backup server.). I have a script that runs in cron and zips all the files up and stashes them away on another drive.
This keeps the backup process local but may not be as integrated with yoru existing system as you would like.
If you decide to use this script, please read it and change it before you do. I have it removing last nights backups before it starts the backup process for tonight. The drive that I am backing up to is very small and will not hold more than one nights backups. This is an acceptable risk for me since, I would have to lose the originals and then run into a problem that hosed the backups which are on a seperate drive. This is probably not enough insurance in a production environment.
I plan to rework this script anyway since, as it sits, if my originals were erased, this backup script would dump my only backups before running a backup of the empty directories. I may rdist or scp lastnights backups to another machine, but I am not sure yet.
The above works great for me. The biggest problem you may run into is users wanting to change their own passwords. I have seen samples on line that show how to handle this but I have never had to implement them.
My example restricts samba to specific networks using the interfaces option. You may want to get more specific with a per share 'allow hosts = ip address/subnet mask' and / or 'deny hosts = ip address/subnet mask' just remember that if you use both, allows hosts wins out. So if you list the same address in both, they will be allowed in to that share.
Since I run such a mix of machines and have a VPN issue, I am unable to do fully use Samba in the following way but, it may help others. Samba can act as a domain master and dole out login scripts, passwords, roaming profiles, etc... I have never used these features but once you have this basic setup working you could continue to experiment if need be.
Samba will also work great as a print server. This is also something I do not have any direct experience with however, the shares look about the same as for a directory so if you can set up a printer in Linux, it should not be a big deal to share it.
I am sorry that this got so long winded. I hope it helped and was somewhat clear. It is almost 4am so I will read this later today and probably not be able to understand it myself
If you have specific questions or if somebody wants to take issue with the way I did things, please, comment below. That is the best way to learn.
- 06 Jul 2005