Samba

Samba is a free software implementation of the Microsoft networking system which provides file and print services for Windows clients. It has the ability to integrate with a Windows Server domain, either as a Primary Domain Controller (PDC) or as a Backup Domain Controller. It can also be part of an Active Directory domain.

Please visit wikipedia or the Samba homepage for more information on the samba protocol.

Clients
In order to mount shares, you must have CIFS file system support enabled in your kernel:

You also need the userspace mount helper :

Mounting Shares
Before mounting a samba share, you create a mount point: an empty directory in which the contents of the share are displayed. Mount points can be placed anywhere on the filesystem, but they are typically in.

The syntax to mount a share is:

/etc/fstab
Samba mounts can also be defined in for predefining mount parameters.

(See the man pages for mount and mount.cifs for a full list of the available options.)

The credentials file is a file containing two lines, namely login (username and password) for the share. The reason we use a credentials file is security as exampled bellow:

Since this file contains login information in plain text, we want to restrict access to root:

Alternatively, if you're connecting to an old share that has no password, use the "guest" option rather than "credentials= ". Keep in mind that this is not secure and you should not set up new shares this way.

Once has been edited and  is created and secured by restrictive permissions, the mount can be tested using:

This will mount everything, not mounted, in.

Browsing
If you want to browse the network for Samba share you'll need. Then use to see what's out there:

You'll see something like this: Sharename      Type      Comment -            ---        public          Disk      shared IPC$           IPC       IPC Service ADMIN$         IPC       IPC Service

Nautilus
enables nautilus to view your samba shares in the "network" section off to the left.

nautilus-share
nautilus-share adds "share on the fly" capabilities to nautilus. simply right click a file and go to the tab all the way to the right saying "sharing" and click share.

to re-work the back end so the front end can do this

and make sure your smb.conf has these in the global section.

Non-Privileged Mounting
To change the suid bit set for the two commands, logged as root, and use:

Or:

You'll need to remount shares to a directory owned by the user.

Common Issues

 * Spaces in share names: You may have trouble adding shares with spaces in to /etc/fstab (or mounting them by other means). In this case, try replacing the "\ " with "\040".
 * I can't see the network: (example: typing smb:// on konqueror): Make sure that you have ports 139/tcp (netbios-ssn, for file sharing) and 445/tcp,udp (microsoft-ds, preferred port for w         oindows shares in Windows NT and newer) open in all machines involved. It's useful open 137/udp (netbios-ns, without this udp port you will not have names resolution on the network) and 138/udp (netbios-dgm) too.
 * I get a Permision denied message trying to access a Windows 2000, XP, 2003: Make sure you have Guest account enabled on Windows machines and Guest have sharing permissions over the shares. Sometimes this is not trivial due to the permissions editing of a carpet is not shown by default in some Windows systems. If it is enabled, right click on the share, pick up the Permissions section and add Guest user with the appropriate rights (probably full control can be security risk. "Modify" provides read/write and create/delete without the more dangerous abilities).
 * In XP, you can accesss this by going to Tools->Folder Options in a normal folder explorer window, clicking on the 'View' tab, and unckecking "Use simple file sharing (Recommended)" at the bottom. I have no idea why this is the default as it actually makes it more difficult to set up sharing (despite being called "simple file sharing").
 * You can also get around this by using a login name and password by passing options to mount
 * mount -o username= ,password=   --Skeezer65134 05:50, 20 October 2005 (GMT)
 * You may want to change Windows XP security policy to allow for regular users access: run "Start/Control Panel/Administrative Tools/Local Security Policy/Local Policies/Security Options/Network access: sharing and security model ...: Classic..." Then, you must have an existing _local_ user on the Windows XP machine.
 * Samba client cannot authenticate, possible bad password error: You may run into odd errors authenticating if Samba and the server (Windows or Samba) do not agree on whether to use LANMAN, NTLM, or NTLMv2. If this happens, you may receive a NT_STATUS_LOGON_FAILURE with Samba, and the server will have a Bad Password error (0xC000006A in the Windows Security log). By default (December 2006 on a Gentoo machine), Samba has NTLM and LANMAN authentication enabled, but NTLMv2 is disabled. If the server is set to allow only NTLMv2, then you will fail. This setting is the infamous lmcompatibilitylevel key in HKLM\System\CurrentControlSet\Control\Lsa. When set to 5, the server will only accept NTLMv2 responses (client requests, server challenges, client responds). To allow Samba to send an NTLMv2 response, edit smb.conf's global section and add

client ntlmv2 auth = yes This will also disable NTLM and LANMAN auth, so if you have trouble accessing older machines' shares, then you may have issues. It is recommend to disable LANMAN auth as well. It is known to be very weak. To do so: client lanman auth = no Read the man page for smb.conf for more information.


 * Error returning browse list: NT_STATUS_OK: Probably, you will get this error messages. You can set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous to 1 in you windows server, and then reboot to take effect. See http://forums.gentoo.org/viewtopic-t-390046-highlight-ntstatusok.html


 * You can login with smbclient or smb:// in konqueror, but attempting to use mount-cifs yields:

mount error: could not find target server. TCP name / not found No ip address specified and hostname not found

Apparently mount.cifs has limited name resolution capabilities. try using

nmblookup 

To get the IP address and user that instead of .


 * Konqueror says the smb:// protocol is not supported: Recompile kde-base/kdebase-kioslaves with the samba USE flag.

USE Flags
The Samba package is extremely customizable; below are descriptions of the many possible USE flags:


 * - Enable Access Control List support. The ACL support in Samba uses a patched ext2/ext3, or SGI's XFS in order to function properly as it extends more detailed access to files or directories; much more so than typical *nix GID/UID schemas.
 * - Enable Active Directory support.
 * - Enables Kernel Asynchronous I/O support.
 * - Enable automount support.
 * - Enables File POSIX Capabilities, this needs SECURITY_FILE_CAPABILITIES enabled in your kernel to work, in case your kernel version is < 2.6.33, see capabilities(7).
 * - Enable Common Unix Printing System CUPS support. This provides an interface allowing local CUPS printers to be shared to other systems in the network.
 * - Build with debugging information.
 * - Install documentation.
 * - Install examples.
 * - Enable File Alteration Monitor support.
 * - Enable IPv6 support.
 * - Enables the Lightweight Directory Access Protocol. Enable this if you intend to use Active Directory or if you need to login, through Samba, to a Domain/Active Directory Server.
 * - Build the samba-vscan (OpenAntiVirus) module. This provides on-access scanning of Samba shares via supported anti-virus programs.
 * - Enable PAM support. This provides the ability to authenticate users on the Samba Server, which is required if users have to login to your server.
 * - Build the samba-python module. This provides an API that will allow Python to interface with Samba.
 * - Enable disk-quota support.
 * - Enable support, a GNU line-editing library. This is highly recommended and should probably not be disabled.
 * - Enable SELinux support. This requieres use of the selinux profile.
 * - Enable the Samba Web Administration Tool.
 * - Enable SYSLOG support. This enables Samba to do logging through the system logger.
 * - Enable WinBind support. This allows for a unified logon within a Samba environment. It uses a Unix implementation of Windows RPC calls, PAM and the name service switch (supported by the c library) to enable Windows NT domain users to appear and work as Unix users on a Unix system.

Emerge
Install with:

note: if you have your samba exploding after tinkering between versions of 3.6.9 to 4.0.0 you must purge your /var/lib/samba

Configuration
The configuration file for the Samba server is In the beginning of file (in global section) you'll see the following:

"Netbios name" is your computer name (usually same as your hostname). "Workgroup" is your workgroup. "Server string" is description of the samba server. Make security = share if you want to share files without password. Easy for making anonymous access. (NOTE: Alternatively set security = user and specify a local user that would own the share. See below on how to add local_user). Set username map if you want to use aliases, otherwise they will not be accessible.

Requiring Authentication For Your Samba Shares
If you are interested in requiring your remote users to log into the share and protecting it with a password, you should set an alias for guest. This is because Windows (XP Pro in my case at least) uses the username "Guest" as the default login with the share security level. Do this as follows:

guest account = local_user

The problem is that this will only work for authenticating 1 user. See the next topic for user-based access control.

Per-User Access Control
To authenticate users individually, set up your smb.conf file like this:

(Note that this is a complete file, you don't have to include everything shown above, but you can if you want.)

The [homes] section creates a share for each user who logs in that gives them access to their home directory. For example, if john is logged into the server, he'd see a share named john with the contents of his home directory. This section is optional, but convenient.

Now you have to add users to samba's authentication database. Once you've created a local user account for the user:

add their account to the samba database:

For Samba versions 3.4.0 and above

For earlier versions of Samba

Now continue with creating shares if you need more than home directories shared.

Logging
Make a particular directory for samba log files. And set maximum log size, because we don't want to be flooded with huge logs.

log file = /var/log/smb/samba.%m max log size = 50

Now proceed in the file and find this part:

# Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply #  local master = yes

If you don't want windows users to blame you, change option local master to "no" and uncomment the line. With this option = yes your linux box and windows hosts will argue about local master browser rights on your LAN. Make this change:

local master = no

If you'd like to share your printers over samba (assuming your printers are running under a cups server), you need to add the following lines somewhere in the global section:

#added for remote printer use over samba printcap name = cups disable spoolss = Yes show add printer wizard = No  printing = cups

This will require that the remote machines install the drivers for the printer locally. In the case of Windows machines, you will need to install the drivers first and then connect to the share over the network.

Adding a Share
Sharing on Linux is as simple as on a Windows box. Just go to the end of smb.conf and add this: Code: Sharing directories with Samba

Make neccessary changes, where "comment" is your share comment, "path" is your shared directory path and "public" is your shared directory name. This will allow users on your network to connect to this share with access rights of user nobody.

If you are interested in using user authentication, you need to specify what users may access this share. Change the above to look like this: Code: Sharing directories with user access control with Samba

This will allow a remote machine to connect to the samba share by logging in as local_user and entering the correct password. Note that we use the 'guest account = local_user' above in the global configuration. Again, Windows will default to logging in as Guest, and you will not be able to change this (actually you can. Go into user management, and on the left pane, you will have an option to change network passwords, add the proper name there.), so the above makes a nice work-around.

If you want to give write permissions to your samba users, just add writable = yes, as follows (make sure that permissions in those directories you are offering are right. If not, use chmod, of course):

Perhaps you want a share that is public but only writable by some persons (in this case the group "users" and the user "fathergoat"), this can be achieved like this:

quick, dirty, effective, semi locked down, semi pro share system.....

mkdir /home/samba/broadcast mkdir /home/samba/dropbox chown -R samba:samba /home/samba

anything broadcasting is locked to the samba/windows users, and anyone may push files to your drop box

Adding Printers
To add all local printers that connect via the CUPS server, add something like this:

This will list ALL of your local CUPS printers and list them based on their names and descriptions as defined in the CUPS configuration. Once again, the local machine connecting to the printer over samba will need to install the drivers first for it to work.

Starting Samba
Don't forget you need to start your Samba server before you can set the user's Samba password. Code: Starting Samba

* Caching service dependencies ... [ ok ] * samba -> start: smbd ... [ ok ] * samba -> start: nmbd ... [ ok ]

Adding a Valid User
For user access control, please note that you MUST specify a password for local_user using smbpasswd. The reason being that the user must also exist in /etc/samba/smbusers AND be a valid user on the computer running the samba server for Samba to have enough information to go through with authentication.

Setting samba user passwords:

For Samba versions 3.4.0 and above

new password: retype new password: For earlier versions of Samba

New SMB password: Reenter smb password: Added user local_user.

Note that the second name you enter can be a separate alias for local_user to log in to the samba share. More clearly, the name to the right of the = can be anything and will be used to log into the samba share. The Linux username to the left of the = must match the "valid user" statement in the share's definition. This means, in the case of the example below, that you can use username 'dozebox' to login to all the shares the "valid user" 'smb_remote' has access to.

Code: Using Aliases in smbusers

In this example five additional samba login names are aliasing two system user names. In Samba 3.0.22 you must specify the location of smbusers in smb.conf or aliases will not be able to log in.

Tip: User names must not be equal with the NetBIOS Name of your PC. For instance, smb://Fenix@FENIX/ will result in an error.

Starting Samba on Boot
To start samba on boot, add it to the default runlevel by running:

Code: Starting samba on Boot

GUI administration
If you are like me, lazy and prefer not to write the smb.conf file from scratch then you are in luck. SWAT

Lets call in the swat team. Samba offers a web page interface that will allow you to do just that. It is very similar to cups web interface. You will need to have xinetd installed on your machine as well as samba, installed with the swat USE flag.

By default xinetd services are disabled and you must turn them on. I didn't realize this and kept restarting samba/xinetd because I was getting a connection refused every time I pointed my browser to the port swat was supposed to be on. This was a WTF moment as I cursed at my box trying to figure out why swat was not starting and why I kept getting a connection refused message in the browser. So lets edit the xinetd and swat service config files.

The following configurations will limit everything to the local network. (Zeroes are considered wildcards, 10.0.0.0 is Class A private subnet network access, 192.168.0.0 is Class B; i.e. if your IP address is 192.168.5.10 this value should be as shown below or 192.168.5.0 to provide access.)

By default disable may be set to "yes" make sure it is set to "no". You can modify the only_from line to allow machines besides the localhost to connect to this service if you wish. With Swat/Samba-3.0.22 you have to set "only_from 0.0.0.0" to allow any host. Deleting this line will deny any connection. I wouldn't recomend this but a good firewall and other security measures can make this a bit safer. You may also want to change the port number as well. Now that the config file has been changed let's start the service.

If all went well you should now be able to start the swat browser interface. Just enter http://localhost:901 as the url in your browser. You should be prompted for your username and password. To change the configuration you must enter root information, normal user info will only allow limited access. If that worked, you should now be able to create a smb.conf file on the fly using swat. The one thing I find handy about swat is the fact that most option entries have help links to help figure out what you need to do. Happy Swatting - GreyParrot(2/14/06)

Troubleshooting

 * Remember: running swat requires an existing /etc/samba/smb.conf file - if you just emerged samba copy the example conf:

For Samba versions 3.4.0 and above
 * Make sure you have the 'swat' USE flag enabled when you emerge newer versions of samba (3.0.22), to enable support for swat.
 * If you go to http://localhost:901 in your browser, and it fails to log you in, even though you've given the correct password, try this in a terminal:

For earlier versions of Samba

This command is not available if you upgraded to samba >= 3.4.6!

Then set your samba root passwd. Now log in using this password. add
 * session setup failed: NT_STATUS_LOGON_FAILURE, check that you set the username map = variable in smb.conf correctly.
 * NT_STATUS_UNSUCCESSFUL, add name resolve order = lmhosts wins bcast host to smb.conf
 * net usershare’ returned error 255: net usershare: usershares are currently disabled,

usershare allow guests = Yes usershare max shares = 100 usershare owner only = False

in [global] section.

KDE Control Center
Alternatively, if you fancy KDE, there is a samba interface which will edit your smb.conf file, add shares, and configure anything you like. The program is part of