Product SiteDocumentation Site

第15章 File and Print Servers

15.1. Samba
15.1.1. Samba の概要
15.1.2. Samba デーモンと関連サービス
15.1.3. Samba シェアへの接続
15.1.4. Samba サーバーの設定
15.1.5. Samba の開始と停止
15.1.6. Samba サーバー形式と smb.conf ファイル
15.1.7. Samba のセキュリティモード
15.1.8. Samba のアカウント情報データベース
15.1.9. Samba ネットワークブラウジング
15.1.10. CUPS 印刷サポートを使った Samba
15.1.11. Samba ディストリビューションプログラム
15.1.12. その他のリソース
15.2. FTP
15.2.1. ファイル伝送プロトコル
15.2.2. FTP サーバー
15.2.3. Files Installed with vsftpd
15.2.4. vsftpd の開始と停止
15.2.5. vsftpd 設定オプション
15.2.6. その他のリソース
15.3. プリンタの設定
15.3.1. Starting the Printer Configuration Tool
15.3.2. Starting Printer Setup
15.3.3. ローカルプリンタの追加
15.3.4. Adding an AppSocket/HP JetDirect printer
15.3.5. IPP プリンタの追加
15.3.6. Adding an LPD/LPR Host or Printer
15.3.7. Adding a Samba (SMB) printer
15.3.8. プリンタモデルの選択と終了
15.3.9. Printing a test page
15.3.10. 既存プリンタの変更
15.3.11. その他のリソース
This chapter guides you through the installation and configuration of Samba, an open source implementation of the Server Message Block (SMB) protocol, and vsftpd, the primary FTP server shipped with Fedora. Additionally, it explains how to use the Printer Configuration tool to configure printers.

15.1. Samba

Samba is an open source implementation of the Server Message Block (SMB) protocol. It allows the networking of Microsoft Windows®, Linux, UNIX, and other operating systems together, enabling access to Windows-based file and printer shares. Samba's use of SMB allows it to appear as a Windows server to Windows clients.

Installing the samba package

In order to use Samba, first ensure the samba package is installed on your system by running, as root:
yum install samba
Yum を用いてパッケージをインストールする方法の詳細は「パッケージのインストール」を参照してください。

15.1.1. Samba の概要

Samba の 3 番目のメジャーリリースとなる バージョン 3.0.0 は 旧バージョンから数多くの改良が導入されました。
  • The ability to join an Active Directory domain by means of the Lightweight Directory Access Protocol (LDAP) and Kerberos
  • 国際化のための組み込み Unicode サポート
  • 最近の Microsoft Windows サーバーとクライアントのすべてのバージョンが、ローカルレジストリの変更の必要性なく、Samba サーバーへの接続をサポートします
  • Two new documents developed by the Samba.org team, which include a 400+ page reference manual, and a 300+ page implementation and integration manual. For more information about these published titles, refer to 「関連書籍」.

15.1.1.1. Samba の機能

Samba はパワフルで用途の広いサーバアプリケーションです。経験豊富なシステム管理者であってもその機能や限界を学んでからインストール及び設定は行ってください。
Samba で行えること:
  • Linux、UNIX、Windows のクライアントへのディレクトリツリーとプリンタの提供
  • ネットワークブラウジング支援 (NetBIOS ありまたはなし)
  • Windows ドメインログインの認証
  • Provide Windows Internet Name Service (WINS) name server resolution
  • Act as a Windows NT®-style Primary Domain Controller (PDC)
  • Act as a Backup Domain Controller (BDC) for a Samba-based PDC
  • Active Directory ドメインメンバーサーバとして動作
  • Join a Windows NT/2000/2003/2008 PDC
Samba で行えないこと:
  • Windows PDC の BDC として動作 (また、その逆)
  • Active Directory ドメインコントローラとして動作

15.1.2. Samba デーモンと関連サービス

下記は、各 Samba デーモン及びサービスに関する簡単な概要です。

15.1.2.1. Samba デーモン

Samba is comprised of three daemons (smbd, nmbd, and winbindd). Three services (smb, nmb, and winbind) control how the daemons are started, stopped, and other service-related features. These services act as different init scripts. Each daemon is listed in detail below, as well as which specific service has control over it.
smbd
The smbd server daemon provides file sharing and printing services to Windows clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB protocol. The default ports on which the server listens for SMB traffic are TCP ports 139 and 445.
smbd デーモンは smb サービスにより制御されています。
nmbd
The nmbd server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/Common Internet File System (CIFS) in Windows-based systems. These systems include Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows Network Neighborhood view. The default port that the server listens to for NMB traffic is UDP port 137.
nmbd デーモンは nmb サービスにより制御されています。
winbindd
The winbind service resolves user and group information on a server running Windows NT, 2000, 2003 or Windows Server 2008. This makes Windows user / group information understandable by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the Name Service Switch (NSS). This allows Windows NT domain users to appear and operate as UNIX users on a UNIX machine. Though bundled with the Samba distribution, the winbind service is controlled separately from the smb service.
The winbindd daemon is controlled by the winbind service and does not require the smb service to be started in order to operate. winbindd is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and/or interdomain trust). Because winbind is a client-side service used to connect to Windows NT-based servers, further discussion of winbind is beyond the scope of this chapter.

Obtaining a list of utilities that are shipped with Samba

You may refer to 「Samba ディストリビューションプログラム」 for a list of utilities included in the Samba distribution.

15.1.3. Samba シェアへの接続

You can use Nautilus to view available Samba shares on your network. To view a list of Samba workgroups and domains on your network, select ApplicationsAccessoriesFiles from the Activities menu, and click Browse Network at the sidebar.
Browsing a network in Nautilus
Browsing a network in Nautilus
図15.1 Browsing a network in Nautilus

An icon appears for each available SMB workgroup or domain on the network. Double-click one of the workgroup/domain icons to view a list of computers within the workgroup/domain.
Each machine within the workgroup is represented by its own icon. Double-click on an icon to view the Samba shares on the machine. If a username and password combination is required, you are prompted for them.
Alternately, you can also specify the Samba server and sharename in the Location: bar for Nautilus using the following syntax (replace servername and sharename with the appropriate values):
smb://servername/sharename

15.1.3.1. コマンドライン

To query the network for Samba servers, use the findsmb command. For each server found, it displays its IP address, NetBIOS name, workgroup name, operating system, and SMB server version.
シェルプロンプトから Samba 共有に接続するには、以下のコマンドをタイプします。
smbclient //hostname/sharename -U username
Replace hostname with the hostname or IP address of the Samba server you want to connect to, sharename with the name of the shared directory you want to browse, and username with the Samba username for the system. Enter the correct password or press Enter if no password is required for the user.
If you see the smb:\> prompt, you have successfully logged in. Once you are logged in, type help for a list of commands. If you wish to browse the contents of your home directory, replace sharename with your username. If the -U switch is not used, the username of the current user is passed to the Samba server.
To exit smbclient, type exit at the smb:\> prompt.

15.1.3.2. シェアの実装

時には、 Samba 共有をディレクトリにマウントすることが有効です。そうすることにより、ディレクトリ内のファイルがあたかもローカルファイルシステムの一部であるかのように扱われます。
To mount a Samba share to a directory, create a directory to mount it to (if it does not already exist), and execute the following command as root:
mount -t cifs //servername/sharename /mnt/point/ -o username=username,password=password
This command mounts sharename from servername in the local directory /mnt/point/.

Installing cifs-utils package

The mount.cifs utility is a separate RPM (independent from Samba). In order to use mount.cifs, first ensure the cifs-utils package is installed on your system by running, as root:
yum install cifs-utils
Yum を用いてパッケージをインストールする方法の詳細は「パッケージのインストール」を参照してください。
Note that the cifs-utils package also contains the cifs.upcall binary called by the kernel in order to perform kerberized CIFS mounts. For more information on cifs.upcall, refer to man cifs.upcall.
Samba 共有のマウントに関する詳細は man mount.cifs を参照してください。

CIFS servers that require plain text passwords

Some CIFS servers require plain text passwords for authentication. Support for plain text password authentication can be enabled using the following command as root:
echo 0x37 > /proc/fs/cifs/SecurityFlags
WARNING: This operation can expose passwords by removing password encryption.

15.1.4. Samba サーバーの設定

The default configuration file (/etc/samba/smb.conf) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. In other words, you can attach a printer to the system and print to it from the Windows machines on your network.

15.1.4.1. グラフィックな設定

To configure Samba using a graphical interface, use one of the available Samba graphical user interfaces. A list of available GUIs can be found at http://www.samba.org/samba/GUI/.

15.1.4.2. コマンドライン管理

Samba uses /etc/samba/smb.conf as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the following command, as root:
systemctl restart smb.service
To specify the Windows workgroup and a brief description of the Samba server, edit the following lines in your /etc/samba/smb.conf file:
workgroup = WORKGROUPNAME
server string = BRIEF COMMENT ABOUT SERVER
WORKGROUPNAME をこのマシンが属する Windows ワークグループ名とリプレイスしてください。 BRIEF COMMENT ABOUT SERVER はオプションで、 Samba システムについての Windows のコメントとして使用されます。
To create a Samba share directory on your Linux system, add the following section to your /etc/samba/smb.conf file (after modifying it to reflect your needs and your system):
[sharename]
comment = Insert a comment here
path = /home/share/
valid users = tfox carole
public = no
writable = yes
printable = no
create mask = 0765
The above example allows the users tfox and carole to read and write to the directory /home/share, on the Samba server, from a Samba client.

15.1.4.3. 暗合化されたパスワード

Encrypted passwords are enabled by default because it is more secure to do so. To create a user with an encrypted password, use the command smbpasswd -a username .

15.1.5. Samba の開始と停止

To start a Samba server, type the following command in a shell prompt, as root:
systemctl start smb.service

ドメインメンバーサーバーのセットアップ方法

To set up a domain member server, you must first join the domain or Active Directory using the net join command before starting the smb service.
サーバーを停止するには、シェルプロンプトにおいて root として以下のコマンドを入力します:
systemctl stop smb.service
restart オプションは Samba を停止してから開始するのに便利です。Samba の設定ファイルを編集してからその設定変更を有効にする最も確実な方法です。再起動オプションはもともと動作していなかったデーモンも起動するので注意してください。
サーバーを再起動するには、シェルプロンプトにおいて root として以下のコマンドを入力します:
systemctl restart smb.service
The condrestart (conditional restart) option only starts smb on the condition that it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.

Applying the changes to the configuration

When the /etc/samba/smb.conf file is changed, Samba automatically reloads it after a few minutes. Issuing a manual restart or reload is just as effective.
To conditionally restart the server, type the following command, as root:
systemctl condrestart smb.service
A manual reload of the /etc/samba/smb.conf file can be useful in case of a failed automatic reload by the smb service. To ensure that the Samba server configuration file is reloaded without restarting the service, type the following command, as root:
systemctl reload smb.service
By default, the smb service does not start automatically at boot time. To configure Samba to start at boot time, use a service manager such as systemctl. Refer to 7章サービスおよびデーモン for more information regarding this tool.

15.1.6. Samba サーバー形式と smb.conf ファイル

Samba configuration is straightforward. All modifications to Samba are done in the /etc/samba/smb.conf configuration file. Although the default smb.conf file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
The following sections describe the different ways a Samba server can be configured. Keep in mind your needs and the changes required to the /etc/samba/smb.conf file for a successful configuration.

15.1.6.1. スタンドアローンのサーバ

A stand-alone server can be a workgroup server or a member of a workgroup environment. A stand-alone server is not a domain controller and does not participate in a domain in any way. The following examples include several anonymous share-level security configurations and one user-level security configuration. For more information on share-level and user-level security modes, refer to 「Samba のセキュリティモード」.
15.1.6.1.1. Anonymous 読み取り専用
The following /etc/samba/smb.conf file shows a sample configuration needed to implement anonymous read-only file sharing. The security = share parameter makes a share anonymous. Note, security levels for a single Samba server cannot be mixed. The security directive is a global Samba parameter located in the [global] configuration section of the /etc/samba/smb.conf file.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = share
[data]
comment = Documentation Samba Server
path = /export
read only = Yes
guest only = Yes
15.1.6.1.2. Anonymous 読み取り/書き込み
The following /etc/samba/smb.conf file shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the read only directive to no. The force user and force group directives are also added to enforce the ownership of any newly placed files specified in the share.

Do not use anonymous read/write servers

Although having an anonymous read/write server is possible, it is not recommended. Any files placed in the share space, regardless of user, are assigned the user/group combination as specified by a generic user (force user) and group (force group) in the /etc/samba/smb.conf file.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = share
[data]
comment = Data
path = /export
force user = docsbot
force group = users
read only = No
guest ok = Yes
15.1.6.1.3. Anonymous プリントサーバ
The following /etc/samba/smb.conf file shows a sample configuration needed to implement an anonymous print server. Setting browseable to no as shown does not list the printer in Windows Network Neighborhood. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to DOCS_SRV using NetBIOS, the client can have access to the printer if the client is also part of the DOCS workgroup. It is also assumed that the client has the correct local printer driver installed, as the use client driver directive is set to Yes. In this case, the Samba server has no responsibility for sharing printer drivers to the client.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = share
printcap name = cups
disable spools= Yes
show add printer wizard = No
printing = cups
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = Yes
15.1.6.1.4. 安全な読み取り/書き込みファイルとプリントサーバ
The following /etc/samba/smb.conf file shows a sample configuration needed to implement a secure read/write print server. Setting the security directive to user forces Samba to authenticate client connections. Notice the [homes] share does not have a force user or force group directive as the [public] share does. The [homes] share uses the authenticated user details for any files created as opposed to the force user and force group in [public].
[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = user
printcap name = cups
disable spools = Yes
show add printer wizard = No
printing = cups
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[public]
comment = Data
path = /export
force user = docsbot
force group = users
guest ok = Yes
[printers]
comment = All Printers
path = /var/spool/samba
printer admin = john, ed, @admins
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = Yes

15.1.6.2. ドメインメンバーサーバ

スタンドアローンサーバに似ていますが、ドメインメンバーはドメインコントローラ(Windows または Samba のどちらか)にログインされ、ドメインのセキュリティルールに従います。ドメインメンバーサーバの例としては、Samba を実行している部門別サーバでプライマリドメインコントローラ (PDC) にマシンアカウント持つものでしょう。その部門のクライアントすべてはまだ PDC で認証しているので、デスクトッププロファイルやすべてのネットワークポリシーファイルが含まれています。違いは部門別サーバはプリンタとネットワーク共有の制御機能があるということです。
15.1.6.2.1. Active Directory ドメインメンバーサーバ
The following /etc/samba/smb.conf file shows a sample configuration needed to implement an Active Directory domain member server. In this example, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos realm parameter is shown in all caps (for example realm = EXAMPLE.COM). Since Windows 2000/2003/2008 requires Kerberos for Active Directory authentication, the realm directive is required. If Active Directory and Kerberos are running on different servers, the password server directive may be required to help the distinction.
[global]
realm = EXAMPLE.COM
security = ADS
encrypt passwords = yes
# Optional. Use only if Samba cannot determine the Kerberos server automatically.
password server = kerberos.example.com
メンバーサーバを Active Directory ドメインに参加させるためには、次の手順にしたがってください。
  • Configuration of the /etc/samba/smb.conf file on the member server
  • Configuration of Kerberos, including the /etc/krb5.conf file, on the member server
  • Active Directory ドメインサーバにあるマシンアカウントの作成
  • メンバーサーバの Active Directory ドメインへの関連付け
To create the machine account and join the Windows 2000/2003/2008 Active Directory, Kerberos must first be initialized for the member server wishing to join the Active Directory domain. To create an administrative Kerberos ticket, type the following command as root on the member server:
kinit administrator@EXAMPLE.COM
The kinit command is a Kerberos initialization script that references the Active Directory administrator account and Kerberos realm. Since Active Directory requires Kerberos tickets, kinit obtains and caches a Kerberos ticket-granting ticket for client/server authentication. For more information on Kerberos, the /etc/krb5.conf file, and the kinit command, refer to the Using Kerberos section of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards guide.
To join an Active Directory server (windows1.example.com), type the following command as root on the member server:
net ads join -S windows1.example.com -U administrator%password
Since the machine windows1 was automatically found in the corresponding Kerberos realm (the kinit command succeeded), the net command connects to the Active Directory server using its required administrator account and password. This creates the appropriate machine account on the Active Directory and grants permissions to the Samba domain member server to join the domain.

The security option

Since security = ads and not security = user is used, a local password back end such as smbpasswd is not needed. Older clients that do not support security = ads are authenticated as if security = domain had been set. This change does not affect functionality and allows local users not previously in the domain.
15.1.6.2.2. Windows NT4 ベースのドメインメンバーサーバ
The following /etc/samba/smb.conf file shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the /etc/samba/smb.conf file simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = domain
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[public]
comment = Data
path = /export
force user = docsbot
force group = users
guest ok = Yes
Having Samba as a domain member server can be useful in many situations. There are times where the Samba server can have other uses besides file and printer sharing. It may be beneficial to make Samba a domain member server in instances where Linux-only applications are required for use in the domain environment. Administrators appreciate keeping track of all machines in the domain, even if not Windows-based. In the event the Windows-based server hardware is deprecated, it is quite easy to modify the /etc/samba/smb.conf file to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003/2008, the /etc/samba/smb.conf file is easily modifiable to incorporate the infrastructure change to Active Directory if needed.

Make sure you join the domain before starting Samba

After configuring the /etc/samba/smb.conf file, join the domain before starting Samba by typing the following command as root:
net rpc join -U administrator%password
Note that the -S option, which specifies the domain server hostname, does not need to be stated in the net rpc join command. Samba uses the hostname specified by the workgroup directive in the /etc/samba/smb.conf file instead of it being stated explicitly.

15.1.6.3. Domain Controller

Windows NT のドメインコントローラは機能的に Linux 環境の Network Information Service (NIS) サーバに似ています。ドメインコントローラと NIS サーバはいずれもユーザー/グループ情報のデータベース及び関連サービスをホストします。ドメインコントローラは主にユーザーのドメインリソースへのアクセス認証などセキュリティの目的で使用されます。ユーザー/グループデータベースの整合性を管理するサービスは Security Account Manager (SAM) と呼ばれています。SAM データベースは Windows と Linux Samba ベースのシステムでは保管が異なるため、SAM の複製は作成できず、PDC/BDC 環境でプラットフォームは混在できません。
Samba 環境では、PDC は 1 台のみ、BDC はいくつでも置くことができます。

A mixed Samba/Windows domain controller environment

Samba は Samba/Windows 混在のドメインコントローラ環境では存在できません(Samba は Windows PDC の BDC にはなれず、その逆もできません)。これに対し、Samba PDC と BDC は共存することができます
15.1.6.3.1. Primary Domain Controller (PDC) using tdbsam
The simplest and most common implementation of a Samba PDC uses the new default tdbsam password database back end. Replacing the aging smbpasswd back end, tdbsam has numerous improvements that are explained in more detail in 「Samba のアカウント情報データベース」. The passdb backend directive controls which back end is to be used for the PDC.
The following /etc/samba/smb.conf file shows a sample configuration needed to implement a tdbsam password database back end.
[global]
workgroup = DOCS
netbios name = DOCS_SRV
passdb backend = tdbsam
security = user
add user script = /usr/sbin/useradd -m "%u"
delete user script = /usr/sbin/userdel -r "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
add user to group script = /usr/sbin/usermod -G "%g" "%u"
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null  -g machines "%u"
# The following specifies the default logon script
# Per user logon scripts can be specified in the user
# account using pdbedit logon script = logon.bat
# This sets the default profile path.
# Set per user paths with pdbedit
logon drive = H:
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
[homes]
	comment = Home Directories
	valid users = %S
	read only = No
[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon/scripts
	browseable = No
	read only = No
# For profiles to work, create a user directory under the
# path shown.
mkdir -p /var/lib/samba/profiles/john
[Profiles]
	comment = Roaming Profile Share
	path = /var/lib/samba/profiles
	read only = No
	browseable = No
	guest ok = Yes
	profile acls = Yes
# Other resource shares ... ...
To provide a functional PDC system which uses the tdbsam follow these steps:
  1. Use a configuration of the smb.conf file as shown in the example above.
  2. Add the root user to the Samba password database:
    smbpasswd -a root
  3. Start the smb service.
  4. Make sure all profile, user, and netlogon directories are created.
  5. Add groups that users can be members of:
    groupadd -f users
    groupadd -f nobody
    groupadd -f ntadmins
  6. Associate the UNIX groups with their respective Windows groups:
    net groupmap add ntgroup="Domain Users" unixgroup=users
    net groupmap add ntgroup="Domain Guests" unixgroup=nobody
    net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins
  7. Grant access rights to a user or a group. For example, to grant the right to add client machines to the domain on a Samba domain controller, to the members to the Domain Admins group, execute the following command:
    net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U root
Keep in mind that Windows systems prefer to have a primary group which is mapped to a domain group such as Domain Users.
Windows groups and users use the same namespace thus not allowing the existence of a group and a user with the same name like in UNIX.

Limitations of the tdbsam authentication back end

If you need more than one domain controller or have more than 250 users, do not use a tdbsam authentication back end. LDAP is recommended in these cases.
15.1.6.3.2. Active Directory を使ったプライマリドメインコントローラ (PDC)
Samba を Active Directory のメンバーにするのは可能ですが、Samba が Active Directory ドメインコントローラとして動作することはできません。

15.1.7. Samba のセキュリティモード

There are only two types of security modes for Samba, share-level and user-level, which are collectively known as security levels . Share-level security can only be implemented in one way, while user-level security can be implemented in one of four different ways. The different ways of implementing a security level are called security modes.

15.1.7.1. ユーザーレベルセキュリティ

User-level security is the default setting for Samba. Even if the security = user directive is not listed in the /etc/samba/smb.conf file, it is used by Samba. If the server accepts the client's username/password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based username/password requests. The client maintains multiple authentication contexts by using a unique UID for each logon.
In the /etc/samba/smb.conf file, the security = user directive that sets user-level security is:
[GLOBAL]
...
security = user
...
次のセクションでは、ユーザーレベルセキュリティのその他の実装について説明します。
15.1.7.1.1. ドメインセキュリティモード (ユーザーレベルセキュリティ)
In domain security mode, the Samba server has a machine account (domain security trust account) and causes all authentication requests to be passed through to the domain controllers. The Samba server is made into a domain member server by using the following directives in the /etc/samba/smb.conf file:
[GLOBAL]
...
security = domain
workgroup = MARKETING
...
15.1.7.1.2. Active Directory セキュリティモード (ユーザーレベルセキュリティ)
Active Directory 環境の場合、ネイティブの Active Directory メンバーとしてそのドメインに参加することができます。セキュリティポリシーが NT 互換の認証プロトコルの使用を制限するものであっても、Samba サーバは Kerberos を使って ADS に参加することができます。
In the /etc/samba/smb.conf file, the following directives make Samba an Active Directory member server:
[GLOBAL]
...
security = ADS
realm = EXAMPLE.COM
password server = kerberos.example.com
...
15.1.7.1.3. サーバセキュリティモード(ユーザーレベルセキュリティ)
サーバセキュリティモードは以前、Samba がドメインメンバーサーバとして動作できなかったときに使用されました。

サーバーセキュリティモードの使用を避けます

多数のセキュリティ障害があるので使用しないよう強く警告します。
In the /etc/samba/smb.conf, the following directives enable Samba to operate in server security mode:
[GLOBAL]
...
encrypt passwords = Yes
security = server
password server = "NetBIOS_of_Domain_Controller"
...

15.1.7.2. Share-Level Security

共有レベルセキュリティを使用すると、サーバはクライアントからの明確なユーザー名がないパスワードだけを受け取ります。サーバはユーザー名とは異なる各共有のパスワードを期待します。Microsoft Windows クライアントは共有レベルセキュリティサーバに互換性の問題があることが最近報告されています。Samba 開発者は共有レベルセキュリティを使用しないよう強く警告しています。
In the /etc/samba/smb.conf file, the security = share directive that sets share-level security is:
[GLOBAL]
...
security = share
...

15.1.8. Samba のアカウント情報データベース

The latest release of Samba offers many new features including new password database back ends not previously available. Samba version 3.0.0 fully supports all databases used in previous versions of Samba. However, although supported, many back ends may not be suitable for production use.
The following is a list different back ends you can use with Samba. Other back ends not listed here may also be available.
Plain Text
Plain text back ends are nothing more than the /etc/passwd type back ends. With a plain text back end, all usernames and passwords are sent unencrypted between the client and the Samba server. This method is very unsecure and is not recommended for use by any means. It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method.
smbpasswd
A popular back end used in previous Samba packages, the smbpasswd back end utilizes a plain ASCII text layout that includes the MS Windows LanMan and NT account, and encrypted password information. The smbpasswd back end lacks the storage of the Windows NT/2000/2003 SAM extended controls. The smbpasswd back end is not recommended because it does not scale well or hold any Windows information, such as RIDs for NT-based groups. The tdbsam back end solves these issues for use in a smaller database (250 users), but is still not an enterprise-class solution.
ldapsam_compat
The ldapsam_compat back end allows continued OpenLDAP support for use with upgraded versions of Samba. This option is normally used when migrating to Samba 3.0.
tdbsam
The new default tdbsam password back end provides an ideal database back end for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. The tdbsam back end includes all of the smbpasswd database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003/2008-based systems.
The tdbsam back end is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns.
ldapsam
The ldapsam back end provides an optimal distributed account installation method for Samba. LDAP is optimal because of its ability to replicate its database to any number of servers such as the Red Hat Directory Server or an OpenLDAP Server. LDAP databases are light-weight and scalable, and as such are preferred by large enterprises. Installation and configuration of directory servers is beyond the scope of this chapter. For more information on the Red Hat Directory Server, refer to the Red Hat Directory Server 8.2 Deployment Guide. For more information on LDAP, refer to 「OpenLDAP」.
If you are upgrading from a previous version of Samba to 3.0, note that the OpenLDAP schema file (/usr/share/doc/samba-version/LDAP/samba.schema) and the Red Hat Directory Server schema file (/usr/share/doc/samba-version/LDAP/samba-schema-FDS.ldif) have changed. These files contain the attribute syntax definitions and objectclass definitions that the ldapsam back end needs in order to function properly.
As such, if you are using the ldapsam back end for your Samba server, you will need to configure slapd to include one of these schema file. Refer to 「Extending Schema」 for directions on how to do this.

Make sure the openldap-server package is installed

You need to have the openldap-server package installed if you want to use the ldapsam back end.

15.1.9. Samba ネットワークブラウジング

Network browsing enables Windows and Samba servers to appear in the Windows Network Neighborhood. Inside the Network Neighborhood, icons are represented as servers and if opened, the server's shares and printers that are available are displayed.
Network browsing capabilities require NetBIOS over TCP/IP. NetBIOS-based networking uses broadcast (UDP) messaging to accomplish browse list management. Without NetBIOS and WINS as the primary method for TCP/IP hostname resolution, other methods such as static files (/etc/hosts) or DNS, must be used.
ドメインマスターブラウザはすべてのサブネット上のローカルマスターブラウザから閲覧リストを照合しますので、ブラウジングがワークグループとサブネット間で発生することができます。また、ドメインマスターブラウザは自身のサブネットのローカルマスターブラウザになるでしょう。

15.1.9.1. Domain Browsing

デフォルトでは、ドメインの Windows PDC もそのドメインのドメインマスターブラウザです。このような場合、 Samba サーバはドメインマスターサーバとして設定する必要があります。
For subnets that do not include the Windows server PDC, a Samba server can be implemented as a local master browser. Configuring the /etc/samba/smb.conf file for a local master browser (or no browsing at all) in a domain controller environment is the same as workgroup configuration.

15.1.9.2. WINS (Windows Internet Name Server)

Samba サーバまたは Windows NT サーバのどちらかが WINS サーバとして機能することができます。WINS を NetBIOS 有効にして使用すると UDP ユニキャストを送信することができ、ネットワーク全体にわたって名前解決が可能になります。WINS サーバがないと、UDP ブロードキャストはローカルサブネットに限られ、他のサブネットやワークグループ、ドメインに送信できなくなります。WINS レプリケーションが必要な場合は、プライマリ WINS サーバとして Samba を使用しないでください。Samb は現在 WINS レプリケーションをサポートしていません。
In a mixed NT/2000/2003/2008 server and Samba environment, it is recommended that you use the Microsoft WINS capabilities. In a Samba-only environment, it is recommended that you use only one Samba server for WINS.
The following is an example of the /etc/samba/smb.conf file in which the Samba server is serving as a WINS server:
[global]
wins support = Yes

WINS の使用法

すべてのサーバ (Samba も含めて)は WINS サーバに接続して NetBIOS 名を解決する必要があります。 WINS なしではブラウジングはローカルサブネットのみなります。また、ドメイン全体の一覧を何からの形で取得しても、 WINS なしではホストはクライアントを解決することはできません。

15.1.10. CUPS 印刷サポートを使った Samba

Samba allows client machines to share printers connected to the Samba server. In addition, Samba also allows client machines to send documents built in Linux to Windows printer shares. Although there are other printing systems that function with Fedora, CUPS (Common UNIX Print System) is the recommended printing system due to its close integration with Samba.

15.1.10.1. Simple smb.conf Settings

The following example shows a very basic /etc/samba/smb.conf configuration for CUPS support:
[global]
load printers = Yes
printing = cups
printcap name = cups
[printers]
comment = All Printers
path = /var/spool/samba
browseable = No
public = Yes
guest ok = Yes
writable = No
printable = Yes
printer admin = @ntadmins
[print$]
comment = Printer Drivers Share
path = /var/lib/samba/drivers
write list = ed, john
printer admin = ed, john
その他の印刷設定も可能です。機密ドキュメントの印刷にセキュリティとプライバシーを補強するには、ユーザーはパブリックパスにはない自分のプリントスプーラを持つことができます。ジョブが失敗した場合、他のユーザーはそのファイルにアクセスできません。
The print$ directive contains printer drivers for clients to access if not available locally. The print$ directive is optional and may not be required depending on the organization.
Setting browseable to Yes enables the printer to be viewed in the Windows Network Neighborhood, provided the Samba server is set up correctly in the domain/workgroup.

15.1.11. Samba ディストリビューションプログラム

findsmb

findsmb subnet_broadcast_address
The findsmb program is a Perl script which reports information about SMB-aware systems on a specific subnet. If no subnet is specified the local subnet is used. Items displayed include IP address, NetBIOS name, workgroup or domain name, operating system, and version.
The following example shows the output of executing findsmb as any valid user on a system:
~]$ findsmb
IP ADDR       NETBIOS NAME  WORKGROUP/OS/VERSION
------------------------------------------------------------------
10.1.59.25    VERVE         [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.59.26    STATION22     [MYGROUP] [Unix] [Samba 3.0.2-7.FC1]
10.1.56.45    TREK         +[WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.94    PIXEL         [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.57.137   MOBILE001     [WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.141   JAWS         +[KWIKIMART] [Unix] [Samba 2.2.7a-security-rollup-fix]
10.1.56.159   FRED         +[MYGROUP] [Unix] [Samba 3.0.0-14.3E]
10.1.59.192   LEGION       *[MYGROUP] [Unix] [Samba 2.2.7-security-rollup-fix]
10.1.56.205   NANCYN       +[MYGROUP] [Unix] [Samba 2.2.7a-security-rollup-fix]

net

net protocol function misc_options target_options
The net utility is similar to the net utility used for Windows and MS-DOS. The first argument is used to specify the protocol to use when executing a command. The protocol option can be ads, rap, or rpc for specifying the type of server connection. Active Directory uses ads, Win9x/NT3 uses rap, and Windows NT4/2000/2003/2008 uses rpc. If the protocol is omitted, net automatically tries to determine it.
The following example displays a list the available shares for a host named wakko:
~]$ net -l share -S wakko
Password:
Enumerating shared resources (exports) on remote server:
Share name   Type     Description
----------   ----     -----------
data         Disk     Wakko data share
tmp          Disk     Wakko tmp share
IPC$         IPC      IPC Service (Samba Server)
ADMIN$       IPC      IPC Service (Samba Server)
The following example displays a list of Samba users for a host named wakko:
~]$ net -l user -S wakko
root password:
User name             Comment
-----------------------------
andriusb              Documentation
joe                   Marketing
lisa                  Sales

nmblookup

nmblookup options netbios_name
The nmblookup program resolves NetBIOS names into IP addresses. The program broadcasts its query on the local subnet until the target machine replies.
次がその例です。
~]$ nmblookup trek
querying trek on 10.1.59.255
10.1.56.45 trek<00>

pdbedit

pdbedit options
The pdbedit program manages accounts located in the SAM database. All back ends are supported including smbpasswd, LDAP, and the tdb database library.
次にユーザーの追加、削除、一覧表示の例を示します。
~]$ pdbedit -a kristin
new password:
retype new password:
Unix username:        kristin
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1210235352-3804200048-1474496110-2012
Primary Group SID:    S-1-5-21-1210235352-3804200048-1474496110-2077
Full Name: Home Directory:       \\wakko\kristin
HomeDir Drive:
Logon Script:
Profile Path:         \\wakko\kristin\profile
Domain:               WAKKO
Account desc:
Workstations: Munged
dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 22:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 22:14:07 GMT
Password last set:    Thu, 29 Jan 2004 08:29:28
GMT Password can change:  Thu, 29 Jan 2004 08:29:28 GMT
Password must change: Mon, 18 Jan 2038 22:14:07 GMT
~]$ pdbedit -v -L kristin
Unix username:        kristin
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1210235352-3804200048-1474496110-2012
Primary Group SID:    S-1-5-21-1210235352-3804200048-1474496110-2077
Full Name:
Home Directory:       \\wakko\kristin
HomeDir Drive:
Logon Script:
Profile Path:         \\wakko\kristin\profile
Domain:               WAKKO
Account desc:
Workstations: Munged
dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 22:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 22:14:07 GMT
Password last set:    Thu, 29 Jan 2004 08:29:28 GMT
Password can change:  Thu, 29 Jan 2004 08:29:28 GMT
Password must change: Mon, 18 Jan 2038 22:14:07 GMT
~]$ pdbedit -L
andriusb:505:
joe:503:
lisa:504:
kristin:506:
~]$ pdbedit -x joe
~]$ pdbedit -L
andriusb:505: lisa:504: kristin:506:

rpcclient

rpcclient server options
The rpcclient program issues administrative commands using Microsoft RPCs, which provide access to the Windows administration graphical user interfaces (GUIs) for systems management. This is most often used by advanced users that understand the full complexity of Microsoft RPCs.

smbcacls

smbcacls //server/share filename options
The smbcacls program modifies Windows ACLs on files and directories shared by a Samba server or a Windows server.

smbclient

smbclient //server/share password options
The smbclient program is a versatile UNIX client which provides functionality similar to ftp.

smbcontrol

smbcontrol -i options
smbcontrol options destination messagetype parameters
The smbcontrol program sends control messages to running smbd, nmbd, or winbindd daemons. Executing smbcontrol -i runs commands interactively until a blank line or a 'q' is entered.

smbpasswd

smbpasswd options username password
The smbpasswd program manages encrypted passwords. This program can be run by a superuser to change any user's password as well as by an ordinary user to change their own Samba password.

smbspool

smbspool job user title copies options filename
The smbspool program is a CUPS-compatible printing interface to Samba. Although designed for use with CUPS printers, smbspool can work with non-CUPS printers as well.

smbstatus

smbstatus options
The smbstatus program displays the status of current connections to a Samba server.

smbtar

smbtar options
The smbtar program performs backup and restores of Windows-based share files and directories to a local tape archive. Though similar to the tar command, the two are not compatible.

testparm

testparm options filename hostname IP_address
The testparm program checks the syntax of the /etc/samba/smb.conf file. If your /etc/samba/smb.conf file is in the default location (/etc/samba/smb.conf) you do not need to specify the location. Specifying the hostname and IP address to the testparm program verifies that the hosts.allow and host.deny files are configured correctly. The testparm program also displays a summary of your /etc/samba/smb.conf file and the server's role (stand-alone, domain, etc.) after testing. This is convenient when debugging as it excludes comments and concisely presents information for experienced administrators to read.
例えば、
~]$ testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[tmp]"
Processing section "[html]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
<enter>
# Global parameters
[global]
	workgroup = MYGROUP
	server string = Samba Server
	security = SHARE
	log file = /var/log/samba/%m.log
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	dns proxy = No
[homes]
	comment = Home Directories
	read only = No
	browseable = No
[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No
[tmp]
	comment = Wakko tmp
	path = /tmp
	guest only = Yes
[html]
	comment = Wakko www
	path = /var/www/html
	force user = andriusb
	force group = users
	read only = No
	guest only = Yes

wbinfo

wbinfo options
The wbinfo program displays information from the winbindd daemon. The winbindd daemon must be running for wbinfo to work.

15.1.12. その他のリソース

次のセクションでは Samba をさらに詳しく学ぶための資料を示します。

15.1.12.1. インストールされているドキュメント

  • /usr/share/doc/samba-version-number/ — All additional files included with the Samba distribution. This includes all helper scripts, sample configuration files, and documentation. This directory also contains online versions of The Official Samba-3 HOWTO-Collection and Samba-3 by Example, both of which are cited below.

    Make sure you have the samba-doc package installed

    In order to use the Samba documentation, first ensure the samba-doc package is installed on your system by running, as root:
    yum install samba-doc
    Yum を用いてパッケージをインストールする方法の詳細は「パッケージのインストール」を参照してください。
Refer to the following manual pages for detailed information specific Samba features:
  • smb.conf
  • samba
  • smbd
  • nmbd
  • winbind

15.1.12.2. 関連書籍

  • The Official Samba-3 HOWTO-Collection by John H. Terpstra and Jelmer R. Vernooij; Prentice Hall — The official Samba-3 documentation as issued by the Samba development team. This is more of a reference guide than a step-by-step guide.
  • Samba-3 by Example by John H. Terpstra; Prentice Hall — This is another official release issued by the Samba development team which discusses detailed examples of OpenLDAP, DNS, DHCP, and printing configuration files. This has step-by-step related information that helps in real-world implementations.
  • Using Samba, 2nd Edition by Jay T's, Robert Eckstein, and David Collier-Brown; O'Reilly — A good resource for novice to advanced users, which includes comprehensive reference material.

15.1.12.3. 役に立つ Web サイト

  • http://www.samba.org/ — Homepage for the Samba distribution and all official documentation created by the Samba development team. Many resources are available in HTML and PDF formats, while others are only available for purchase. Although many of these links are not Fedora specific, some concepts may apply.
  • http://samba.org/samba/archives.html — Active email lists for the Samba community. Enabling digest mode is recommended due to high levels of list activity.
  • Samba newsgroups — Samba threaded newsgroups, such as gmane.org, that use the NNTP protocol are also available. This an alternative to receiving mailing list emails.