Linux File System and Share/Service PermissionsFrom the official Samba Howto, ch. 16, we read:
Candidates should understand file permissions on a Linux file system in a mixed environment
Samba does not attempt to go beyond POSIX ACLs, so the various finer-grained access control options provided in Windows are actually ignored.
All access to UNIX/Linux system files via Samba is controlled by the operating system file access controls. When trying to figure out file access problems, it is vitally important to find the identity of the Windows user as it is presented by Samba at the point of file access. This can best be determined from the Samba log files.
- create mask - This option takes an octal value of four digits and sets permissions on Samba-newly-created files accordingly. It can be used in all sections. It's default value is 0744
- directory mask - does the same for directories what create mask does for files.
Samba SecurityThe first move that we take towards Samba security can be hosts allow/hosts deny directives for smb.conf.
Candidates should be able to secure Samba at both the firewall level, and the Samba daemons themselves
hosts allow = 127.0.0.1 192.168.1.0/24The configuration above allows you to access Samba server only from localhost and it's local network.
hosts deny = 0.0.0.0/0
Similarly, we can go about narrowing down users that are allowed to connect:
valid users = @group, user1, user2On top of this, access to samba can be restricted based on the interface specified:
interfaces = eth0 ath0 loIn order to block incoming connections to Samba ports with iptables make it drop packets.
bind interfaces only = yes
Performance TuningWhile measuring performance two tools will be of particular interest:
Candidates should be able to cluster services for load balancing and high availability purposes, and tune Samba settings for better server and network performance
- netstat, which reports on current network connections and stats
- smbstatus, which reports on current samba connections
Socket Options -
Other Options to smb.conf:
- log level - is known to cause drops in performance
- read size - sets optimal value for
- read raw
- write raw
- max xmit
- max connections
- max disk size
- max mux
- max open files
- max print jobs (S)
- max protocol (G)
- max reported print jobs (S)
- max stat cache size (G)
- max ttl (G)
- max wins ttl (G)