Проверка smb conf на ошибки

3.1.1. The Samba services

smbd

This service provides file sharing and printing services using the SMB protocol. Additionally, the service is responsible for resource locking and for authenticating connecting users. For authenticating domain members, smbd requires winbindd. The smb systemd service starts and stops the smbd daemon.

To use the smbd service, install the samba package.

nmbd

This service provides host name and IP resolution using the NetBIOS over IPv4 protocol. Additionally to the name resolution, the nmbd service enables browsing the SMB network to locate domains, work groups, hosts, file shares, and printers. For this, the service either reports this information directly to the broadcasting client or forwards it to a local or master browser. The nmb systemd service starts and stops the nmbd daemon.

Note that modern SMB networks use DNS to resolve clients and IP addresses. For Kerberos a working DNS setup is required.

To use the nmbd service, install the samba package.

winbindd

This service provides an interface for the Name Service Switch (NSS) to use AD or NT4 domain users and groups on the local system. This enables, for example, domain users to authenticate to services hosted on a Samba server or to other local services. The winbind systemd service starts and stops the winbindd daemon.

If you set up Samba as a domain member, winbindd must be started before the smbd service. Otherwise, domain users and groups are not available to the local system..

To use the winbindd service, install the samba-winbind package.

Red Hat only supports running Samba as a server with the winbindd service to provide domain users and groups to the local system. Due to certain limitations, such as missing Windows access control list (ACL) support and NT LAN Manager (NTLM) fallback, SSSD is not supported.

3.1.2. The Samba security services

On an AD domain member, set security = ads

In this mode, Samba uses Kerberos to authenticate AD users.

For details about setting up Samba as a domain member, see Setting up Samba as an AD domain member server.

On a standalone server, set security = user

In this mode, Samba uses a local database to authenticate connecting users.

For details about setting up Samba as a standalone server, see Setting up Samba as a standalone server.

On an NT4 PDC or BDC, set security = user

In this mode, Samba authenticates users to a local or LDAP database.

On an NT4 domain member, set security = domain

In this mode, Samba authenticates connecting users to an NT4 PDC or BDC. You cannot use this mode on AD domain members.

For details about setting up Samba as a domain member, see Setting up Samba as an AD domain member server.

Additional resources

• security parameter in the smb.conf(5) man page

3.1.3. Scenarios when Samba services and Samba client utilities load and reload their configuration

• Samba services reload their configuration:

  • Automatically every 3 minutes
  • On manual request, for example, when you run the smbcontrol all reload-config command.
• Samba client utilities read their configuration only when you start them.

Additional resources

• The How configuration changes are applied section in the smb.conf(5) man page
• The smbd(8), nmbd(8), and winbindd(8) man pages

3.1.4. Editing the Samba configuration in a safe way

Prerequisites

• Samba is installed.

Procedure

1. Create a copy of the /etc/samba/smb.conf file:

   # cp /etc/samba/smb.conf /etc/samba/samba.conf.copy

2. Edit the copied file and make the desired changes.

3. Verify the configuration in the /etc/samba/samba.conf.copy file:

   # testparm -s /etc/samba/samba.conf.copy

   If testparm reports errors, fix them and run the command again.

4. Override the /etc/samba/smb.conf file with the new configuration:

   # mv /etc/samba/samba.conf.copy /etc/samba/smb.conf

5. Wait until the Samba services automatically reload their configuration or manually reload the configuration:

   # smbcontrol all reload-config

3.3.1. Setting up the server configuration for the standalone server

Procedure

1. Install the samba package:

   # yum install samba

2. Edit the /etc/samba/smb.conf file and set the following parameters:

   [global]
   	workgroup = Example-WG
   	netbios name = Server
   	security = user
   
   	log file = /var/log/samba/%m.log
   	log level = 1

   This configuration defines a standalone server named Server within the Example-WG work group. Additionally, this configuration enables logging on a minimal level (1) and log files will be stored in the /var/log/samba/ directory. Samba will expand the %m macro in the log file parameter to the NetBIOS name of connecting clients. This enables individual log files for each client.

3. Optionally, configure file or printer sharing. See:

   • Setting up a share that uses POSIX ACLs
   • Setting up a share that uses Windows ACLs
   • Setting up Samba as a Print Server

4. Verify the /etc/samba/smb.conf file:

   # testparm

5. If you set up shares that require authentication, create the user accounts.

   For details, see Creating and enabling local user accounts.

6. Open the required ports and reload the firewall configuration by using the firewall-cmd utility:

   # firewall-cmd --permanent --add-service=samba
   # firewall-cmd --reload

7. Enable and start the smb service:

   # systemctl enable --now smb

Additional resources

• smb.conf(5) man page

3.3.2. Creating and enabling local user accounts

Prerequisites

• Samba is installed and configured as a standalone server.

Procedure

1. Create the operating system account:

   # useradd -M -s /sbin/nologin example

   This command adds the example account without creating a home directory. If the account is only used to authenticate to Samba, assign the /sbin/nologin command as shell to prevent the account from logging in locally.

2. Set a password to the operating system account to enable it:

   # passwd example
   Enter new UNIX password: password
   Retype new UNIX password: password
   passwd: password updated successfully

   Samba does not use the password set on the operating system account to authenticate. However, you need to set a password to enable the account. If an account is disabled, Samba denies access if this user connects.

3. Add the user to the Samba database and set a password to the account:

   # smbpasswd -a example
   New SMB password: password
   Retype new SMB password: password
   Added user example.

   Use this password to authenticate when using this account to connect to a Samba share.

4. Enable the Samba account:

   # smbpasswd -e example
   Enabled user example.

3.4.1. Planning Samba ID ranges

Example 3.1. Unique ID Ranges

[global]
...
idmap config * : backend = tdb
idmap config * : range = 10000-999999

idmap config AD-DOM:backend = rid
idmap config AD-DOM:range = 2000000-2999999

idmap config TRUST-DOM:backend = rid
idmap config TRUST-DOM:range = 4000000-4999999

You can only assign one range per domain. Therefore, leave enough space between the domains ranges. This enables you to extend the range later if your domain grows.

If you later assign a different range to a domain, the ownership of files and directories previously created by these users and groups will be lost.

3.4.2. The * default domain

• The domain the Samba server is a member of
• Each trusted domain that should be able to access the Samba server

• Local Samba users and groups
• Samba built-in accounts and groups, such as BUILTINAdministrators

tdb

When you configure the default domain to use the tdb back end, set an ID range that is big enough to include objects that will be created in the future and that are not part of a defined domain ID mapping configuration.

For example, set the following in the [global] section in the /etc/samba/smb.conf file:

idmap config * : backend = tdb
idmap config * : range = 10000-999999

For further details, see Using the TDB ID mapping back end.

autorid

When you configure the default domain to use the autorid back end, adding additional ID mapping configurations for domains is optional.

For example, set the following in the [global] section in the /etc/samba/smb.conf file:

idmap config * : backend = autorid
idmap config * : range = 10000-999999

For further details, see Using the autorid ID mapping back end.

3.4.3. Using the tdb ID mapping back end

3.4.4. Using the ad ID mapping back end

• All user and group settings are stored centrally in AD.
• User and group IDs are consistent on all Samba servers that use this back end.
• The IDs are not stored in a local database which can corrupt, and therefore file ownerships cannot be lost.

Prerequisites

• Both users and groups must have unique IDs set in AD, and the IDs must be within the range configured in the /etc/samba/smb.conf file. Objects whose IDs are outside of the range will not be available on the Samba server.
• Users and groups must have all required attributes set in AD. If required attributes are missing, the user or group will not be available on the Samba server. The required attributes depend on your configuration. .Prerequisites
• You installed Samba.
• The Samba configuration, except ID mapping, exists in the /etc/samba/smb.conf file.

Procedure

1. Edit the [global] section in the /etc/samba/smb.conf file:

   1. Add an ID mapping configuration for the default domain (*) if it does not exist. For example:

      idmap config * : backend = tdb
      idmap config * : range = 10000-999999

   2. Enable the ad ID mapping back end for the AD domain:

      idmap config DOMAIN : backend = ad

   3. Set the range of IDs that is assigned to users and groups in the AD domain. For example:

      idmap config DOMAIN : range = 2000000-2999999

      The range must not overlap with any other domain configuration on this server. Additionally, the range must be set big enough to include all IDs assigned in the future. For further details, see Planning Samba ID ranges.

   4. Set that Samba uses the RFC 2307 schema when reading attributes from AD:

      idmap config DOMAIN : schema_mode = rfc2307

   5. To enable Samba to read the login shell and the path to the users home directory from the corresponding AD attribute, set:

      idmap config DOMAIN : unix_nss_info = yes

      Alternatively, you can set a uniform domain-wide home directory path and login shell that is applied to all users. For example:

      template shell = /bin/bash
      template homedir = /home/%U

   6. By default, Samba uses the primaryGroupID attribute of a user object as the user’s primary group on Linux. Alternatively, you can configure Samba to use the value set in the gidNumber attribute instead:

      idmap config DOMAIN : unix_primary_group = yes

2. Verify the /etc/samba/smb.conf file:

   # testparm

3. Reload the Samba configuration:

   # smbcontrol all reload-config

Additional resources

• The * default domain
• smb.conf(5) and idmap_ad(8) man pages
• VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page

3.4.5. Using the rid ID mapping back end

Benefits of using the rid back end

• All domain users and groups that have an RID within the configured range are automatically available on the domain member.
• You do not need to manually assign IDs, home directories, and login shells.

Drawbacks of using the rid back end

• All domain users get the same login shell and home directory assigned. However, you can use variables.
• User and group IDs are only the same across Samba domain members if all use the rid back end with the same ID range settings.
• You cannot exclude individual users or groups from being available on the domain member. Only users and groups outside of the configured range are excluded.
• Based on the formulas the winbindd service uses to calculate the IDs, duplicate IDs can occur in multi-domain environments if objects in different domains have the same RID.

Prerequisites

• You installed Samba.
• The Samba configuration, except ID mapping, exists in the /etc/samba/smb.conf file.

Procedure

1. Edit the [global] section in the /etc/samba/smb.conf file:

   1. Add an ID mapping configuration for the default domain (*) if it does not exist. For example:

      idmap config * : backend = tdb
      idmap config * : range = 10000-999999

   2. Enable the rid ID mapping back end for the domain:

      idmap config DOMAIN : backend = rid

   3. Set a range that is big enough to include all RIDs that will be assigned in the future. For example:

      idmap config DOMAIN : range = 2000000-2999999

      Samba ignores users and groups whose RIDs in this domain are not within the range.

      The range must not overlap with any other domain configuration on this server. Additionally, the range must be set big enough to include all IDs assigned in the future. For further details, see Planning Samba ID ranges.

   4. Set a shell and home directory path that will be assigned to all mapped users. For example:

      template shell = /bin/bash
      template homedir = /home/%U

2. Verify the /etc/samba/smb.conf file:

   # testparm

3. Reload the Samba configuration:

   # smbcontrol all reload-config

Additional resources

• The * default domain
• VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page
• Calculation of the local ID from a RID, see the idmap_rid(8) man page

3.4.6. Using the autorid ID mapping back end

• Only for the * default domain
• For the * default domain and additional domains, without the need to create ID mapping configurations for each of the additional domains
• Only for specific domains

Benefits of using the autorid back end

• All domain users and groups whose calculated UID and GID is within the configured range are automatically available on the domain member.
• You do not need to manually assign IDs, home directories, and login shells.
• No duplicate IDs, even if multiple objects in a multi-domain environment have the same RID.

Drawbacks

• User and group IDs are not the same across Samba domain members.
• All domain users get the same login shell and home directory assigned. However, you can use variables.
• You cannot exclude individual users or groups from being available on the domain member. Only users and groups whose calculated UID or GID is outside of the configured range are excluded.

Prerequisites

• You installed Samba.
• The Samba configuration, except ID mapping, exists in the /etc/samba/smb.conf file.

Procedure

1. Edit the [global] section in the /etc/samba/smb.conf file:

   1. Enable the autorid ID mapping back end for the * default domain:

      idmap config * : backend = autorid

   2. Set a range that is big enough to assign IDs for all existing and future objects. For example:

      idmap config * : range = 10000-999999

      Samba ignores users and groups whose calculated IDs in this domain are not within the range.

      After you set the range and Samba starts using it, you can only increase the upper limit of the range. Any other change to the range can result in new ID assignments, and thus in losing file ownerships.

   3. Optionally, set a range size. For example:

      idmap config * : rangesize = 200000

      Samba assigns this number of continuous IDs for each domain’s object until all IDs from the range set in the idmap config * : range parameter are taken.

      If you set a rangesize, you need to adapt the range accordingly. The range needs to be a multiple of the rangesize.

   4. Set a shell and home directory path that will be assigned to all mapped users. For example:

      template shell = /bin/bash
      template homedir = /home/%U

   5. Optionally, add additional ID mapping configuration for domains. If no configuration for an individual domain is available, Samba calculates the ID using the autorid back end settings in the previously configured * default domain.

      The range must not overlap with any other domain configuration on this server. Additionally, the range must be set big enough to include all IDs assigned in the future. For further details, see Planning Samba ID ranges.

2. Verify the /etc/samba/smb.conf file:

   # testparm

3. Reload the Samba configuration:

   # smbcontrol all reload-config

Additional resources

• THE MAPPING FORMULAS section in the idmap_autorid(8) man page
• rangesize parameter description in the idmap_autorid(8) man page
• VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page

3.5.1. Joining a RHEL system to an AD domain

Procedure

1. If your AD requires the deprecated RC4 encryption type for Kerberos authentication, enable support for these ciphers in RHEL:

   # update-crypto-policies --set DEFAULT:AD-SUPPORT

2. Install the following packages:

   # yum install realmd oddjob-mkhomedir oddjob samba-winbind-clients 
          samba-winbind samba-common-tools samba-winbind-krb5-locator

3. To share directories or printers on the domain member, install the samba package:

   # yum install samba

4. Backup the existing /etc/samba/smb.conf Samba configuration file:

   # mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

5. Join the domain. For example, to join a domain named ad.example.com:

   # realm join --membership-software=samba --client-software=winbind ad.example.com

   Using the previous command, the realm utility automatically:

   • Creates a /etc/samba/smb.conf file for a membership in the ad.example.com domain
   • Adds the winbind module for user and group lookups to the /etc/nsswitch.conf file
   • Updates the Pluggable Authentication Module (PAM) configuration files in the /etc/pam.d/ directory
   • Starts the winbind service and enables the service to start when the system boots
6. Optionally, set an alternative ID mapping back end or customized ID mapping settings in the /etc/samba/smb.conf file. For details, see Understanding and configuring Samba ID mapping.

7. Verify that the winbind service is running:

   # systemctl status winbind
   ...
      Active: active (running) since Tue 2018-11-06 19:10:40 CET; 15s ago

   To enable Samba to query domain user and group information, the winbind service must be running before you start smb.

8. If you installed the samba package to share directories and printers, enable and start the smb service:

   # systemctl enable --now smb

9. Optionally, if you are authenticating local logins to Active Directory, enable the winbind_krb5_localauth plug-in. See Using the local authorization plug-in for MIT Kerberos.

Verification steps

1. Display an AD user’s details, such as the AD administrator account in the AD domain:

   # getent passwd "ADadministrator"
   ADadministrator:*:10000:10000::/home/administrator@AD:/bin/bash

2. Query the members of the domain users group in the AD domain:

   # getent group "ADDomain Users"
       ADdomain users:x:10000:user1,user2

3. Optionally, verify that you can use domain users and groups when you set permissions on files and directories. For example, to set the owner of the /srv/samba/example.txt file to ADadministrator and the group to ADDomain Users:

   # chown "ADadministrator":"ADDomain Users" /srv/samba/example.txt

4. Verify that Kerberos authentication works as expected:

   1. On the AD domain member, obtain a ticket for the administrator@AD.EXAMPLE.COM principal:

      # kinit administrator@AD.EXAMPLE.COM

   2. Display the cached Kerberos ticket:

      # klist
      Ticket cache: KCM:0
      Default principal: administrator@AD.EXAMPLE.COM
      
      Valid starting       Expires              Service principal
      01.11.2018 10:00:00  01.11.2018 20:00:00  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
              renew until 08.11.2018 05:00:00

5. Display the available domains:

   # wbinfo --all-domains
   BUILTIN
   SAMBA-SERVER
   AD

Additional resources

• If you do not want to use the deprecated RC4 ciphers, you can enable the AES encryption type in AD. See
• Enabling the AES encryption type in Active Directory using a GPO. Note that this can have an impact on other services in your AD.
• realm(8) man page

3.5.2. Using the local authorization plug-in for MIT Kerberos

Prerequisites

• Samba is configured as a member of an Active Directory.
• Red Hat Enterprise Linux authenticates log in attempts against Active Directory.
• The winbind service is running.

Procedure

Edit the /etc/krb5.conf file and add the following section:

Additional resources

• winbind_krb5_localauth(8) man page.

3.6.1. Preparing the IdM domain for installing Samba on domain members

Prerequisites

• IdM server is installed.
• You need root privileges to install packages and restart IdM services.

Procedure

1. Install the required packages:

   [root@ipaserver ~]# yum install ipa-server-trust-ad samba-client

2. Authenticate as the IdM administrative user:

   [root@ipaserver ~]# kinit admin

3. Run the ipa-adtrust-install utility:

   [root@ipaserver ~]# ipa-adtrust-install

   The DNS service records are created automatically if IdM was installed with an integrated DNS server.

   If you installed IdM without an integrated DNS server, ipa-adtrust-install prints a list of service records that you must manually add to DNS before you can continue.

4. The script prompts you that the /etc/samba/smb.conf already exists and will be rewritten:

   WARNING: The smb.conf already exists. Running ipa-adtrust-install will break your existing Samba configuration.
   
   Do you wish to continue? [no]: yes

5. The script prompts you to configure the slapi-nis plug-in, a compatibility plug-in that allows older Linux clients to work with trusted users:

   Do you want to enable support for trusted domains in Schema Compatibility plugin?
   This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users.
   
   Enable trusted domains support in slapi-nis? [no]: yes

6. When prompted, enter the NetBIOS name for the IdM domain or press Enter to accept the name suggested:

   Trust is configured but no NetBIOS domain name found, setting it now.
   Enter the NetBIOS name for the IPA domain.
   Only up to 15 uppercase ASCII letters, digits and dashes are allowed.
   Example: EXAMPLE.
   
   NetBIOS domain name [IDM]:

7. You are prompted to run the SID generation task to create a SID for any existing users:

   Do you want to run the ipa-sidgen task? [no]: yes

   This is a resource-intensive task, so if you have a high number of users, you can run this at another time.

8. (Optional) By default, the Dynamic RPC port range is defined as 49152-65535 for Windows Server 2008 and later. If you need to define a different Dynamic RPC port range for your environment, configure Samba to use different ports and open those ports in your firewall settings. The following example sets the port range to 55000-65000.

   [root@ipaserver ~]# net conf setparm global 'rpc server dynamic port range' 55000-65000
   [root@ipaserver ~]# firewall-cmd --add-port=55000-65000/tcp
   [root@ipaserver ~]# firewall-cmd --runtime-to-permanent

9. Restart the ipa service:

   [root@ipaserver ~]# ipactl restart

10. Use the smbclient utility to verify that Samba responds to Kerberos authentication from the IdM side:

    [root@ipaserver ~]# smbclient -L server.idm.example.com -U user_name --use-kerberos=required
    lp_load_ex: changing to config backend registry
        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba 4.15.2)
    ...

3.6.2. Enabling the AES encryption type in Active Directory using a GPO

Prerequisites

• You are logged into AD as a user who can edit group policies.
• The Group Policy Management Console is installed on the computer.

Procedure

1. Open the Group Policy Management Console.
2. Right-click Default Domain Policy, and select Edit. The Group Policy Management Editor opens.
3. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options.
4. Double-click the Network security: Configure encryption types allowed for Kerberos policy.
5. Select AES256_HMAC_SHA1 and, optionally, Future encryption types.
6. Click OK.
7. Close the Group Policy Management Editor.
8. Repeat the steps for the Default Domain Controller Policy.

9. Wait until the Windows domain controllers (DC) applied the group policy automatically. Alternatively, to apply the GPO manually on a DC, enter the following command using an account that has administrator permissions:

   C:> gpupdate /force /target:computer

3.6.3. Installing and configuring a Samba server on an IdM client

Prerequisites

• Both the IdM servers and the client must run on RHEL 8.1 or later.
• The IdM domain is prepared as described in Preparing the IdM domain for installing Samba on domain members.
• If IdM has a trust configured with AD, enable the AES encryption type for Kerberos. For example, use a group policy object (GPO) to enable the AES encryption type. For details, see Enabling AES encryption in Active Directory using a GPO.

Procedure

1. Install the ipa-client-samba package:

   [root@idm_client]# yum install ipa-client-samba

2. Use the ipa-client-samba utility to prepare the client and create an initial Samba configuration:

   [root@idm_client]# ipa-client-samba
   Searching for IPA server...
   IPA server: DNS discovery
   Chosen IPA master: idm_server.idm.example.com
   SMB principal to be created: cifs/idm_client.idm.example.com@IDM.EXAMPLE.COM
   NetBIOS name to be used: IDM_CLIENT
   Discovered domains to use:
   
    Domain name: idm.example.com
   NetBIOS name: IDM
            SID: S-1-5-21-525930803-952335037-206501584
       ID range: 212000000 - 212199999
   
    Domain name: ad.example.com
   NetBIOS name: AD
            SID: None
       ID range: 1918400000 - 1918599999
   
   Continue to configure the system with these values? [no]: yes
   Samba domain member is configured. Please check configuration at /etc/samba/smb.conf and start smb and winbind services

3. By default, ipa-client-samba automatically adds the [homes] section to the /etc/samba/smb.conf file that dynamically shares a user’s home directory when the user connects. If users do not have home directories on this server, or if you do not want to share them, remove the following lines from /etc/samba/smb.conf:

   [homes]
       read only = no

4. Share directories and printers. For details, see:

   • Setting up a Samba file share that uses POSIX ACLs
   • Setting up a share that uses Windows ACLs
   • Setting up Samba as a print server

5. Open the ports required for a Samba client in the local firewall:

   [root@idm_client]# firewall-cmd --permanent --add-service=samba-client
   [root@idm_client]# firewall-cmd --reload

6. Enable and start the smb and winbind services:

   [root@idm_client]# systemctl enable --now smb winbind

Verification steps

Run the following verification step on a different IdM domain member that has the samba-client package installed:

• List the shares on the Samba server using Kerberos authentication:

  $ smbclient -L idm_client.idm.example.com -U user_name --use-kerberos=required
  lp_load_ex: changing to config backend registry
  
      Sharename       Type      Comment
      ---------       ----      -------
      example         Disk
      IPC$            IPC       IPC Service (Samba 4.15.2)
  ...

Additional resources

• ipa-client-samba(1) man page

3.6.4. Manually adding an ID mapping configuration if IdM trusts a new domain

Prerequisites

• You configured Samba on an IdM client. Afterward, a new trust was added to IdM.
• The DES and RC4 encryption types for Kerberos must be disabled in the trusted AD domain. For security reasons, RHEL 8 does not support these weak encryption types.

Procedure

1. Authenticate using the host’s keytab:

   [root@idm_client]# kinit -k

2. Use the ipa idrange-find command to display both the base ID and the ID range size of the new domain. For example, the following command displays the values for the ad.example.com domain:

   [root@idm_client]# ipa idrange-find --name="AD.EXAMPLE.COM_id_range" --raw
   ---------------
   1 range matched
   ---------------
     cn: AD.EXAMPLE.COM_id_range
     ipabaseid: 1918400000
     ipaidrangesize: 200000
     ipabaserid: 0
     ipanttrusteddomainsid: S-1-5-21-968346183-862388825-1738313271
     iparangetype: ipa-ad-trust
   ----------------------------
   Number of entries returned 1
   ----------------------------

   You need the values from the ipabaseid and ipaidrangesize attributes in the next steps.

3. To calculate the highest usable ID, use the following formula:

   maximum_range = ipabaseid + ipaidrangesize - 1

   With the values from the previous step, the highest usable ID for the ad.example.com domain is 1918599999 (1918400000 + 200000 — 1).

4. Edit the /etc/samba/smb.conf file, and add the ID mapping configuration for the domain to the [global] section:

   idmap config AD : range = 1918400000 - 1918599999
   idmap config AD : backend = sss

   Specify the value from ipabaseid attribute as the lowest and the computed value from the previous step as the highest value of the range.

5. Restart the smb and winbind services:

   [root@idm_client]# systemctl restart smb winbind

Verification steps

• List the shares on the Samba server using Kerberos authentication:

  $ smbclient -L idm_client.idm.example.com -U user_name --use-kerberos=required
  lp_load_ex: changing to config backend registry
  
      Sharename       Type      Comment
      ---------       ----      -------
      example         Disk
      IPC$            IPC       IPC Service (Samba 4.15.2)
  ...

3.6.5. Additional resources

• Installing an Identity Management client

3.7.1. Adding a share that uses POSIX ACLs

Prerequisites

Samba has been set up in one of the following modes:

• Standalone server
• Domain member

Procedure

1. Create the folder if it does not exist. For example:

   # mkdir -p /srv/samba/example/

2. If you run SELinux in enforcing mode, set the samba_share_t context on the directory:

   # semanage fcontext -a -t samba_share_t "/srv/samba/example(/.*)?"
   # restorecon -Rv /srv/samba/example/

3. Set file system ACLs on the directory. For details, see:

   • Setting standard ACLs on a Samba Share that uses POSIX ACLs
   • Setting extended ACLs on a share that uses POSIX ACLs.

4. Add the example share to the /etc/samba/smb.conf file. For example, to add the share write-enabled:

   [example]
   	path = /srv/samba/example/
   	read only = no

   Regardless of the file system ACLs; if you do not set read only = no, Samba shares the directory in read-only mode.

5. Verify the /etc/samba/smb.conf file:

   # testparm

6. Open the required ports and reload the firewall configuration using the firewall-cmd utility:

   # firewall-cmd --permanent --add-service=samba
   # firewall-cmd --reload

7. Restart the smb service:

   # systemctl restart smb

3.7.2. Setting standard Linux ACLs on a Samba share that uses POSIX ACLs

Prerequisites

• The Samba share on which you want to set the ACLs exists.

Procedure

# chown root:"Domain Users" /srv/samba/example/
# chmod 2770 /srv/samba/example/

Additional resources

• chown(1) and chmod(1) man pages

3.7.3. Setting extended ACLs on a Samba share that uses POSIX ACLs

• No access
• Read access
• Write access
• Full control

Prerequisites

• The Samba share on which you want to set the ACLs exists.

Procedure

1. Enable the following parameter in the share’s section in the /etc/samba/smb.conf file to enable ACL inheritance of extended ACLs:

   inherit acls = yes

   For details, see the parameter description in the smb.conf(5) man page.

2. Restart the smb service:

   # systemctl restart smb

3. Set the ACLs on the directory. For example:

3.8.1. Configuring user and group-based share access

Prerequisites

• The Samba share on which you want to set user or group-based access exists.

Procedure

1. For example, to enable all members of the Domain Users group to access a share while access is denied for the user account, add the following parameters to the share’s configuration:

   valid users = +DOMAIN"Domain Users"
   invalid users = DOMAINuser

   The invalid users parameter has a higher priority than the valid users parameter. For example, if the user account is a member of the Domain Users group, access is denied to this account when you use the previous example.

2. Reload the Samba configuration:

   # smbcontrol all reload-config

Additional resources

• smb.conf(5) man page

3.8.2. Configuring host-based share access

Prerequisites

• The Samba share on which you want to set host-based access exists.

Procedure

1. Add the following parameters to the configuration of the share in the /etc/samba/smb.conf file:

   hosts allow = 127.0.0.1 192.0.2.0/24 client1.example.com
   hosts deny = client2.example.com

   The hosts deny parameter has a higher priority than hosts allow. For example, if client1.example.com resolves to an IP address that is listed in the hosts allow parameter, access for this host is denied.

2. Reload the Samba configuration:

   # smbcontrol all reload-config

Additional resources

• smb.conf(5) man page

3.9.1. Granting the SeDiskOperatorPrivilege privilege

Procedure

1. For example, to grant the SeDiskOperatorPrivilege privilege to the DOMAINDomain Admins group:

   # net rpc rights grant "DOMAINDomain Admins" SeDiskOperatorPrivilege -U "DOMAINadministrator"
   Enter DOMAINadministrator's password:
   Successfully granted rights.

   In a domain environment, grant SeDiskOperatorPrivilege to a domain group. This enables you to centrally manage the privilege by updating a user’s group membership.

2. To list all users and groups having SeDiskOperatorPrivilege granted:

   # net rpc rights list privileges SeDiskOperatorPrivilege -U "DOMAINadministrator"
   Enter administrator's password:
   SeDiskOperatorPrivilege:
     BUILTINAdministrators
     DOMAINDomain Admins

3.9.2. Enabling Windows ACL support

Prerequisites

• A user share is configured on the Samba server.

Procedure

1. To enable it globally for all shares, add the following settings to the [global] section of the /etc/samba/smb.conf file:

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes

   Alternatively, you can enable Windows ACL support for individual shares, by adding the same parameters to a share’s section instead.

2. Restart the smb service:

   # systemctl restart smb

3.9.3. Adding a share that uses Windows ACLs

Procedure

1. Create the folder if it does not exists. For example:

   # mkdir -p /srv/samba/example/

2. If you run SELinux in enforcing mode, set the samba_share_t context on the directory:

   # semanage fcontext -a -t samba_share_t "/srv/samba/example(/.*)?"
   # restorecon -Rv /srv/samba/example/

3. Add the example share to the /etc/samba/smb.conf file. For example, to add the share write-enabled:

   [example]
   	path = /srv/samba/example/
   	read only = no

   Regardless of the file system ACLs; if you do not set read only = no, Samba shares the directory in read-only mode.

4. If you have not enabled Windows ACL support in the [global] section for all shares, add the following parameters to the [example] section to enable this feature for this share:

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes

5. Verify the /etc/samba/smb.conf file:

   # testparm

6. Open the required ports and reload the firewall configuration using the firewall-cmd utility:

   # firewall-cmd --permanent --add-service=samba
   # firewall-cmd --reload

7. Restart the smb service:

   # systemctl restart smb

3.9.4. Managing share permissions and file system ACLs of a share that uses Windows ACLs

3.10.1. Access control entries

Example 3.3. Access control entries

ADDomain Users:ALLOWED/OI|CI/CHANGE

Security principal

The security principal is the user, group, or SID the permissions in the ACL are applied to.

Access right

Defines if access to an object is granted or denied. The value can be ALLOWED or DENIED.

Inheritance information

The following values exist:

Table 3.1. Inheritance settings

Value	Description	Maps to
OI	Object Inherit	This folder and files
CI	Container Inherit	This folder and subfolders
IO	Inherit Only	The ACE does not apply to the current file or directory
ID	Inherited	The ACE was inherited from the parent directory

Additionally, the values can be combined as follows:

Table 3.2. Inheritance settings combinations

Value combinations	Maps to the Windows Applies to setting
OI|CI	This folder, subfolders, and files
OI|CI|IO	Subfolders and files only
CI|IO	Subfolders only
OI|IO	Files only

Permissions

This value can be either a hex value that represents one or more Windows permissions or an smbcacls alias:

• A hex value that represents one or more Windows permissions.

  The following table displays the advanced Windows permissions and their corresponding value in hex format:

  Multiple permissions can be combined as a single hex value using the bit-wise OR operation. For details, see ACE mask calculation.

• An smbcacls alias. The following table displays the available aliases:

  You can combine single-letter aliases when you set permissions. For example, you can set RD to apply the Windows permission Read and Delete. However, you can neither combine multiple non-single-letter aliases nor combine aliases and hex values.

3.10.2. Displaying ACLs using smbcacls

Procedure

For example, to list the ACLs of the root directory of the //server/example share:

• REVISION: The internal Windows NT ACL revision of the security descriptor
• CONTROL: Security descriptor control
• OWNER: Name or SID of the security descriptor’s owner
• GROUP: Name or SID of the security descriptor’s group
• ACL entries. For details, see Access control entries.

3.10.3. ACE mask calculation

Example 3.4. Calculating an ACE Mask

# echo $(printf '0x%X' $(( 0x00100020 | 0x00100001 | 0x00100080 )))
0x1000A1

3.10.4. Adding, updating, and removing an ACL using smbcacls

3.11.1. Enabling the user shares feature

Procedure

1. Create the local example group, if it does not exist:

   # groupadd example

2. Prepare the directory for Samba to store the user share definitions and set its permissions properly. For example:

   1. Create the directory:

      # mkdir -p /var/lib/samba/usershares/

   2. Set write permissions for the example group:

      # chgrp example /var/lib/samba/usershares/
      # chmod 1770 /var/lib/samba/usershares/

   3. Set the sticky bit to prevent users to rename or delete files stored by other users in this directory.

3. Edit the /etc/samba/smb.conf file and add the following to the [global] section:

   1. Set the path to the directory you configured to store the user share definitions. For example:

      usershare path = /var/lib/samba/usershares/

   2. Set how many user shares Samba allows to be created on this server. For example:

      usershare max shares = 100

      If you use the default of 0 for the usershare max shares parameter, user shares are disabled.

   3. Optionally, set a list of absolute directory paths. For example, to configure that Samba only allows to share subdirectories of the /data and /srv directory to be shared, set:

      usershare prefix allow list = /data /srv

   For a list of further user share-related parameters you can set, see the USERSHARES section in the smb.conf(5) man page.

4. Verify the /etc/samba/smb.conf file:

   # testparm

5. Reload the Samba configuration:

   # smbcontrol all reload-config

   Users are now able to create user shares.

3.11.2. Adding a user share

Example 3.5. Adding a user share

$ net usershare add example /srv/samba/ "" "ADDomain Users":F,Everyone:R guest_ok=yes

3.11.4. Displaying information about existing user shares

Prerequisites

• A user share is configured on the Samba server.

Procedure

1. To display all user shares created by any user:

   $ net usershare info -l
   [share_1]
   path=/srv/samba/
   comment=
   usershare_acl=Everyone:R,host_nameuser:F,
   guest_ok=y
   ...

   To list only shares created by the user who runs the command, omit the -l parameter.

2. To display only the information about specific shares, pass the share name or wild cards to the command. For example, to display the information about shares whose name starts with share_:

   $ net usershare info -l share_* 

3.11.5. Listing user shares

Prerequisites

• A user share is configured on the Samba server.

Procedure

1. To list the shares created by any user:

   $ net usershare list -l
   share_1
   share_2
   ...

   To list only shares created by the user who runs the command, omit the -l parameter.

2. To list only specific shares, pass the share name or wild cards to the command. For example, to list only shares whose name starts with share_:

   $ net usershare list -l share_* 

3.12.1. Enabling guest access to a share

• The account is listed in file system ACLs
• The POSIX permissions for other users allow it

Example 3.6. Guest share permissions

-rw-r--r--. 1 root       root      1024 1. Sep 10:00 file1.txt
-rw-r-----. 1 nobody     root      1024 1. Sep 10:00 file2.txt
-rw-r-----. 1 root       root      1024 1. Sep 10:00 file3.txt

Procedure

1. Edit the /etc/samba/smb.conf file:

   1. If this is the first guest share you set up on this server:

      1. Set map to guest = Bad User in the [global] section:

         [global]
                 ...
                 map to guest = Bad User

         With this setting, Samba rejects login attempts that use an incorrect password unless the user name does not exist. If the specified user name does not exist and guest access is enabled on a share, Samba treats the connection as a guest log in.

      2. By default, Samba maps the guest account to the nobody account on Red Hat Enterprise Linux. Alternatively, you can set a different account. For example:

         [global]
                 ...
                 guest account = user_name

         The account set in this parameter must exist locally on the Samba server. For security reasons, Red Hat recommends using an account that does not have a valid shell assigned.

   2. Add the guest ok = yes setting to the [example] share section:

      [example]
              ...
              guest ok = yes

2. Verify the /etc/samba/smb.conf file:

   # testparm

3. Reload the Samba configuration:

   # smbcontrol all reload-config

3.13.1. Optimizing the Samba configuration for providing file shares for macOS clients

Prerequisites

• Samba is configured as a file server.

Procedure

1. Edit the /etc/samba/smb.conf file, and enable the fruit and streams_xattr VFS modules in the [global] section:

   vfs objects = fruit streams_xattr

   You must enable the fruit module before enabling streams_xattr. The fruit module uses alternate data streams (ADS). For this reason, you must also enable the streams_xattr module.

2. Optionally, to provide macOS Time Machine support on a share, add the following setting to the share configuration in the /etc/samba/smb.conf file:

   fruit:time machine = yes

3. Verify the /etc/samba/smb.conf file:

   # testparm

4. Reload the Samba configuration:

   # smbcontrol all reload-config

Additional resources

• vfs_fruit(8) man page.

• Configuring file shares:

  • Setting up a Samba file share that uses POSIX ACLs
  • Setting up a share that uses Windows ACLs.

3.14.1. How the smbclient interactive mode works

Additional resources

• smbclient(1) man page

3.14.2. Using smbclient in interactive mode

Procedure

1. Connect to the share:

   # smbclient -U "DOMAINuser_name" //server_name/share_name

2. Change into the /example/ directory:

   smb: > d /example/

3. List the files in the directory:

   smb: example> ls
     .                    D         0  Thu Nov 1 10:00:00 2018
     ..                   D         0  Thu Nov 1 10:00:00 2018
     example.txt          N   1048576  Thu Nov 1 10:00:00 2018
   
            9950208 blocks of size 1024. 8247144 blocks available

4. Download the example.txt file:

   smb: example> get example.txt
   getting file directorysubdirectoryexample.txt of size 1048576 as example.txt (511975,0 KiloBytes/sec) (average 170666,7 KiloBytes/sec)

5. Disconnect from the share:

   smb: example> exit

3.14.3. Using smbclient in scripting mode

Procedure

• Use the following command to connect to the share, change into the example directory, download the example.txt file:

3.15.1. Enabling print server support in Samba

Prerequisites

• The printers are configured in a CUPS server.

  For details about configuring printers in CUPS, see the documentation provided in the CUPS web console (https://printserver:631/help) on the print server.

Procedure

1. Edit the /etc/samba/smb.conf file:

   1. Add the [printers] section to enable the printing backend in Samba:

      [printers]
              comment = All Printers
              path = /var/tmp/
              printable = yes
              create mask = 0600

      The [printers] share name is hard-coded and cannot be changed.

   2. If the CUPS server runs on a different host or port, specify the setting in the [printers] section:

      cups server = printserver.example.com:631

   3. If you have many printers, set the number of idle seconds to a higher value than the numbers of printers connected to CUPS. For example, if you have 100 printers, set in the [global] section:

      rpcd_spoolss:idle_seconds = 200

      If this setting does not scale in your environment, also increase the number of rpcd_spoolss workers in the [global] section:

      rpcd_spoolss:num_workers = 10

      By default, rpcd_spoolss starts 5 workers.

2. Verify the /etc/samba/smb.conf file:

   # testparm

3. Open the required ports and reload the firewall configuration using the firewall-cmd utility:

   # firewall-cmd --permanent --add-service=samba
   # firewall-cmd --reload

4. Restart the smb service:

   # systemctl restart smb

   After restarting the service, Samba automatically shares all printers that are configured in the CUPS back end. If you want to manually share only specific printers, see Manually sharing specific printers.

Verification

• Submit a print job. For example, to print a PDF file, enter:

  # smbclient -Uuser //sambaserver.example.com/printer_name -c "print example.pdf"

3.15.2. Manually sharing specific printers

Prerequisites

• Samba is set up as a print server

Procedure

1. Edit the /etc/samba/smb.conf file:

   1. In the [global] section, disable automatic printer sharing by setting:

      load printers = no

   2. Add a section for each printer you want to share. For example, to share the printer named example in the CUPS back end as Example-Printer in Samba, add the following section:

      [Example-Printer]
              path = /var/tmp/
              printable = yes
              printer name = example

      You do not need individual spool directories for each printer. You can set the same spool directory in the path parameter for the printer as you set in the [printers] section.

2. Verify the /etc/samba/smb.conf file:

   # testparm

3. Reload the Samba configuration:

   # smbcontrol all reload-config

3.16.1. Basic information about printer drivers

• Unpack the driver if it is provided in a compressed format.

• Some drivers require to start a setup application that installs the driver locally on a Windows host. In certain situations, the installer extracts the individual files into the operating system’s temporary folder during the setup runs. To use the driver files for uploading:

  1. Start the installer.
  2. Copy the files from the temporary folder to a new location.
  3. Cancel the installation.

3.16.2. Enabling users to upload and preconfigure drivers

Procedure

1. For example, to grant the SePrintOperatorPrivilege privilege to the printadmin group:

   # net rpc rights grant "printadmin" SePrintOperatorPrivilege -U "DOMAINadministrator"
   Enter DOMAINadministrator's password:
   Successfully granted rights.

   In a domain environment, grant SePrintOperatorPrivilege to a domain group. This enables you to centrally manage the privilege by updating a user’s group membership.

2. To list all users and groups having SePrintOperatorPrivilege granted:

   # net rpc rights list privileges SePrintOperatorPrivilege -U "DOMAINadministrator"
   Enter administrator's password:
   SePrintOperatorPrivilege:
     BUILTINAdministrators
     DOMAINprintadmin

3.16.3. Setting up the print$ share

Procedure

1. Add the [print$] section to the /etc/samba/smb.conf file:

   [print$]
           path = /var/lib/samba/drivers/
           read only = no
           write list = @printadmin
           force group = @printadmin
           create mask = 0664
           directory mask = 2775

   Using these settings:

   • Only members of the printadmin group can upload printer drivers to the share.
   • The group of new created files and directories will be set to printadmin.
   • The permissions of new files will be set to 664.
   • The permissions of new directories will be set to 2775.

2. To upload only 64-bit drivers for all printers, include this setting in the [global] section in the /etc/samba/smb.conf file:

   spoolss: architecture = Windows x64

   Without this setting, Windows only displays drivers for which you have uploaded at least the 32-bit version.

3. Verify the /etc/samba/smb.conf file:

   # testparm

4. Reload the Samba configuration

   # smbcontrol all reload-config

5. Create the printadmin group if it does not exists:

   # groupadd printadmin

6. Grant the SePrintOperatorPrivilege privilege to the printadmin group.

   # net rpc rights grant "printadmin" SePrintOperatorPrivilege -U "DOMAINadministrator"
   Enter DOMAINadministrator's password:
   Successfully granted rights.

7. If you run SELinux in enforcing mode, set the samba_share_t context on the directory:

   # semanage fcontext -a -t samba_share_t "/var/lib/samba/drivers(/.)?" # *restorecon -Rv /var/lib/samba/drivers/

8. Set the permissions on the /var/lib/samba/drivers/ directory:

   • If you use POSIX ACLs, set:

     # chgrp -R "printadmin" /var/lib/samba/drivers/
     # chmod -R 2775 /var/lib/samba/drivers/

   • If you use Windows ACLs, set:

     Principal	Access	Apply to
     CREATOR OWNER	Full control	Subfolders and files only
     Authenticated Users	Read & execute, List folder contents, Read	This folder, subfolders, and files
     printadmin	Full control	This folder, subfolders, and files

     For details about setting ACLs on Windows, see the Windows documentation.

3.16.4. Creating a GPO to enable clients to trust the Samba print server

Prerequisites

• The Samba print server is a member of an AD domain.
• The Windows computer you are using to create the GPO must have the Windows Remote Server Administration Tools (RSAT) installed. For details, see the Windows documentation.

Procedure

1. Log into a Windows computer using an account that is allowed to edit group policies, such as the AD domain Administrator user.
2. Open the Group Policy Management Console.

3. Right-click to your AD domain and select Create a GPO in this domain, and Link it here.

   

4. Enter a name for the GPO, such as Legacy Printer Driver Policy and click OK. The new GPO will be displayed under the domain entry.
5. Right-click to the newly-created GPO and select Edit to open the Group Policy Management Editor.

6. Navigate to → → → .

   

7. On the right side of the window, double-click Point and Print Restriction to edit the policy:

   1. Enable the policy and set the following options:

      1. Select Users can only point and print to these servers and enter the fully-qualified domain name (FQDN) of the Samba print server to the field next to this option.

      2. In both check boxes under Security Prompts, select Do not show warning or elevation prompt.

         

   2. Click OK.

8. Double-click Package Point and Print - Approved servers to edit the policy:

   1. Enable the policy and click the Show button.

   2. Enter the FQDN of the Samba print server.

      

   3. Close both the Show Contents and the policy’s properties window by clicking OK.
9. Close the Group Policy Management Editor.
10. Close the Group Policy Management Console.

Additional resources

• For using group policies, see the Windows documentation.

3.16.5. Uploading drivers and preconfiguring printers

3.17.1. Limitations of using Samba in FIPS mode

• Samba as a domain member only in Active Directory (AD) or Red Hat Identity Management (IdM) environments with Kerberos authentication that uses AES ciphers.
• Samba as a file server on an Active Directory domain member. However, this requires that clients use Kerberos to authenticate to the server.

• NT LAN Manager (NTLM) authentication because RC4 ciphers are blocked
• The server message block version 1 (SMB1) protocol
• The stand-alone file server mode because it uses NTLM authentication
• NT4-style domain controllers
• NT4-style domain members. Note that Red Hat continues supporting the primary domain controller (PDC) functionality IdM uses in the background.
• Password changes against the Samba server. You can only perform password changes using Kerberos against an Active Directory domain controller.

• Running Samba as a print server

3.17.2. Using Samba in FIPS mode

Prerequisites

• Samba is configured on the Red Hat Enterprise Linux host.
• Samba runs in a mode that is supported in FIPS mode.

Procedure

1. Enable the FIPS mode on RHEL:

   # fips-mode-setup --enable

2. Reboot the server:

   # reboot

3. Use the testparm utility to verify the configuration:

   # testparm -s

   If the command displays any errors or incompatibilities, fix them to ensure that Samba works correctly.

3.18.1. Setting the SMB protocol version

Procedure

1. Remove the server max protocol parameter from the [global] section in the /etc/samba/smb.conf file.

2. Reload the Samba configuration

   # smbcontrol all reload-config

3.18.2. Tuning shares with directories that contain a large number of files

Prerequisites

• Samba is configured as a file server

Procedure

1. Rename all files on the share to lowercase.

   Using the settings in this procedure, files with names other than in lowercase will no longer be displayed.

2. Set the following parameters in the share’s section:

   case sensitive = true
   default case = lower
   preserve case = no
   short preserve case = no

   For details about the parameters, see their descriptions in the smb.conf(5) man page.

3. Verify the /etc/samba/smb.conf file:

   # testparm

4. Reload the Samba configuration:

   # smbcontrol all reload-config

3.18.3. Settings that can have a negative performance impact

3.19.1. Setting the minimum SMB protocol version supported by a Samba server

Prerequisites

• Samba is installed and configured.

Procedure

1. Edit the /etc/samba/smb.conf file, add the server min protocol parameter, and set the parameter to the minimum SMB protocol version the server should support. For example, to set the minimum SMB protocol version to SMB3, add:

   server min protocol = SMB3

2. Restart the smb service:

   # systemctl restart smb

Additional resources

• smb.conf(5) man page

3.20.1. Using the net ads join and net rpc join commands

Procedure

1. Manually create the /etc/samba/smb.conf file with the following settings:

   • For an AD domain member:

     [global]
     workgroup = domain_name
     security = ads
     passdb backend = tdbsam
     realm = AD_REALM

   • For an NT4 domain member:

     [global]
     workgroup = domain_name
     security = user
     passdb backend = tdbsam

2. Add an ID mapping configuration for the * default domain and for the domain you want to join to the [global] section in the /etc/samba/smb.conf file.

3. Verify the /etc/samba/smb.conf file:

   # testparm

4. Join the domain as the domain administrator:

   • To join an AD domain:

     # net ads join -U "DOMAINadministrator"

   • To join an NT4 domain:

     # net rpc join -U "DOMAINadministrator"

5. Append the winbind source to the passwd and group database entry in the /etc/nsswitch.conf file:

   passwd:     files winbind
   group:      files winbind

6. Enable and start the winbind service:

   # systemctl enable --now winbind

7. Optionally, configure PAM using the authselect utility.

   For details, see the authselect(8) man page.

8. Optionally for AD environments, configure the Kerberos client.

   For details, see the documentation of your Kerberos client.

3.20.2. Using the net rpc rights command

3.20.3. Using the net rpc share command

• The user specified in the -U parameter must have the SeDiskOperatorPrivilege privilege granted on the destination server.
• You must write a script that adds a share section to the /etc/samba/smb.conf file and reloads Samba. The script must be set in the add share command parameter in the [global] section in /etc/samba/smb.conf. For further details, see the add share command description in the smb.conf(5) man page.

• The user specified in the -U parameter must have the SeDiskOperatorPrivilege privilege granted.
• You must write a script that removes the share’s section from the /etc/samba/smb.conf file and reloads Samba. The script must be set in the delete share command parameter in the [global] section in /etc/samba/smb.conf. For further details, see the delete share command description in the smb.conf(5) man page.

3.20.4. Using the net user command

• List all user accounts
• Add users
• Remove Users

1. Add the account:

   # net user add user password -U "DOMAINadministrator"
   User user added

2. Optionally, use the remote procedure call (RPC) shell to enable the account on the AD DC or NT4 PDC. For example:

   # net rpc shell -U DOMAINadministrator -S DC_or_PDC_name
   Talking to domain DOMAIN (S-1-5-21-1424831554-512457234-5642315751)
   
   net rpc> user edit disabled user: no
   Set user's disabled flag from [yes] to [no]
   
   net rpc> exit

3.20.5. Using the rpcclient utility

Prerequisites

• The samba-client package is installed.

• Manage the printer Spool Subsystem (SPOOLSS).

  Example 3.7. Assigning a Driver to a Printer

  # rpcclient server_name -U "DOMAINadministrator" -c 'setdriver "printer_name" "driver_name"'
  Enter DOMAINadministrators password:
  Successfully set printer_name to driver driver_name.

• Retrieve information about an SMB server.

  Example 3.8. Listing all File Shares and Shared Printers

  # rpcclient server_name -U "DOMAINadministrator" -c 'netshareenum'
  Enter DOMAINadministrators password:
  netname: Example_Share
  	remark:
  	path:   C:srvsambaexample_share
  	password:
  netname: Example_Printer
  	remark:
  	path:   C:varspoolsamba
  	password:

• Perform actions using the Security Account Manager Remote (SAMR) protocol.

  Example 3.9. Listing Users on an SMB Server

  # rpcclient server_name -U "DOMAINadministrator" -c 'enumdomusers'
  Enter DOMAINadministrators password:
  user:[user1] rid:[0x3e8]
  user:[user2] rid:[0x3e9]

  If you run the command against a standalone server or a domain member, it lists the users in the local database. Running the command against an AD DC or NT4 PDC lists the domain users.

Additional resources

• rpcclient(1) man page

3.20.6. Using the samba-regedit application

Prerequisites

• The samba-client package is installed.

Procedure

To start the application, enter:

• Cursor up and cursor down: Navigate through the registry tree and the values.
• Enter: Opens a key or edits a value.
• Tab: Switches between the Key and Value pane.
• Ctrl+C: Closes the application.

3.20.7. Using the smbcontrol utility

Prerequisites

• The samba-common-tools package is installed.

Procedure

# smbcontrol all reload-config

Additional resources

• smbcontrol(1) man page

3.20.8. Using the smbpasswd utility

Prerequisites

• The samba-common-tools package is installed.

Procedure

1. If you run the command as a user, smbpasswd changes the Samba password of the user who run the command. For example:

   [user@server ~]$ smbpasswd
   New SMB password: password
   Retype new SMB password: password

2. If you run smbpasswd as the root user, you can use the utility, for example, to:

   • Create a new user:

     [root@server ~]# smbpasswd -a user_name
     New SMB password: password
     Retype new SMB password: password
     Added user user_name.

     Before you can add a user to the Samba database, you must create the account in the local operating system. See the Adding a new user from the command line section in the Configuring basic system settings guide.

   • Enable a Samba user:

     [root@server ~]# smbpasswd -e user_name
     Enabled user user_name.

   • Disable a Samba user:

     [root@server ~]# smbpasswd -x user_name
     Disabled user user_name

   • Delete a user:

     [root@server ~]# smbpasswd -x user_name
     Deleted user user_name.

Additional resources

• smbpasswd(8) man page

3.20.9. Using the smbstatus utility

• Connections per PID of each smbd daemon to the Samba server. This report includes the user name, primary group, SMB protocol version, encryption, and signing information.
• Connections per Samba share. This report includes the PID of the smbd daemon, the IP of the connecting machine, the time stamp when the connection was established, encryption, and signing information.
• A list of locked files. The report entries include further details, such as opportunistic lock (oplock) types

Prerequisites

• The samba package is installed.
• The smbd service is running.

Procedure

# smbstatus

Samba version 4.15.2
PID  Username              Group                Machine                            Protocol Version  Encryption  Signing
....-------------------------------------------------------------------------------------------------------------------------
963  DOMAINadministrator  DOMAINdomain users  client-pc  (ipv4:192.0.2.1:57786)  SMB3_02           -           AES-128-CMAC

Service  pid  Machine    Connected at                  Encryption  Signing:
....---------------------------------------------------------------------------
example  969  192.0.2.1  Thu Nov  1 10:00:00 2018 CEST  -           AES-128-CMAC

Locked files:
Pid  Uid    DenyMode   Access    R/W     Oplock      SharePath           Name      Time
....--------------------------------------------------------------------------------------------------------
969  10000  DENY_WRITE 0x120089  RDONLY  LEASE(RWH)  /srv/samba/example  file.txt  Thu Nov  1 10:00:00 2018

Additional resources

• smbstatus(1) man page

3.20.10. Using the smbtar utility

Prerequisites

• The samba-client package is installed.

Procedure

• Use the following command to back up the content of the demo directory on the //server/example/ share and store the content in the /root/example.tar archive:

  # smbtar -s server -x example -u user_name -p password -t /root/example.tar

Additional resources

• smbtar(1) man page

3.20.11. Using the wbinfo utility

Prerequisites

• The samba-winbind-clients package is installed.

Procedure

You can use wbinfo, for example, to:

• List domain users:

  # wbinfo -u
  ADadministrator
  ADguest
  ...

• List domain groups:

  # wbinfo -g
  ADdomain computers
  ADdomain admins
  ADdomain users
  ...

• Display the SID of a user:

  # wbinfo --name-to-sid="ADadministrator"
  S-1-5-21-1762709870-351891212-3141221786-500 SID_USER (1)

• Display information about domains and trusts:

  # wbinfo --trusted-domains --verbose
  Domain Name   DNS Domain            Trust Type  Transitive  In   Out
  BUILTIN                             None        Yes         Yes  Yes
  server                              None        Yes         Yes  Yes
  DOMAIN1       domain1.example.com   None        Yes         Yes  Yes
  DOMAIN2       domain2.example.com   External    No          Yes  Yes

Additional resources

• wbinfo(1) man page