Samba

From Gentoo Linux Wiki

It has been suggested that this page or section be split. (Discuss)

Gentoo has an official article on:

Quick Samba3/CUPS Howto

Samba is a free software implementation of Microsoft's networking system which provides file and print services for Microsoft Windows clients. It has the capability to integrate with a Windows Server domain, either as a Primary Domain Controller (PDC) or as a Backup Domain Controller. It can also be part of an Active Directory domain.

Please visit wikipedia or the Samba homepage for more information on the samba protocol.

[edit] Clients

To mount shares you first need to have CIFS file system support enabled:

File systems  --->
  Network File Systems  --->
    <M> CIFS support

You also need the userspace mount helper net-fs/mount-cifs:

[edit] Mounting Shares

Before mounting a samba share, you must have a mount point created. A mount point is just an empty directory in which the contents of the share are displayed. These can be anywhere on the filesystem, but they are typically in /mnt.

The syntax to mount a share is:

[edit] /etc/fstab

Samba mounts can also be defined in /etc/fstab for predefining mount parameters.

//<server>/<share>    /<mountpoint>    cifs    credentials=/<credentials file>,<options>    0 0

There are several options to be set other than the credentials file:

• uid - Sets user ownership of the mount.
• gid - Sets group ownership of the mount.
• umask - Set user mask, umask does the inverse of that cdmod does, disallows instead of allows. So umask=133 equals the cdmod 644 octal value.

The credentials file is a file containing two lines, namley login username and password for the share. The reason we use a credentials file is security as exampled bellow:

username=<user>
password=<pass>

Since this file contains login information in plain text, we want to restrict access to root:

Once /etc/fstab has been edited and is created and secured by restrictive permissions, the mount can be tested using:

This will mount everything, not mounted, in /etc/fstab.

[edit] Browsing

If you want to browse the network for Samba share you'll need net-fs/samba.

Then use smbclient to see what's out there:

You'll see something like this:

        Sharename       Type      Comment
        ---------       ----      -------
        public          Disk      shared
        IPC$            IPC       IPC Service
        ADMIN$          IPC       IPC Service

[edit] Non-Privileged Mounting

To change the suid bit set for the two commands, logged as root, and use:

Or:

You'll need to remount shares to a directory owned by the user.

[edit] Common Issues

• Spaces in share names: You may have trouble adding shares with spaces in to /etc/fstab (or mounting them by other means). In this case, try replacing the "\ " with "\040".
• I can't see the network: (example: typing smb://<network_name> on konqueror): Make sure that you have ports 139/tcp (netbios-ssn, for file sharing) and 445/tcp,udp (microsoft-ds, preferred port for w oindows shares in Windows NT and newer) open in all machines involved. It's useful open 137/udp (netbios-ns, without this udp port you will not have names resolution on the network) and 138/udp (netbios-dgm) too.
• I get a Permision denied message trying to access a Windows 2000, XP, 2003: Make sure you have Guest account enabled on Windows machines and Guest have sharing permissions over the shares. Sometimes this is not trivial due to the permissions editing of a carpet is not shown by default in some Windows systems. If it is enabled, right click on the share, pick up the Permissions section and add Guest user with the appropriate rights (probably full control full control can be security risk. "Modify" provides read/write and create/delete without the more dangerous abilities).
• In XP, you can accesss this by going to Tools->Folder Options in a normal folder explorer window, clicking on the 'View' tab, and unckecking "Use simple file sharing (Recommended)" at the bottom. I have no idea why this is the default as it actually makes it more difficult to set up sharing (despite being called "simple file sharing").
• You can also get around this by using a login name and password by passing options to mount
• mount <remote share> <mountpoint> -o username=<username>,password=<password> --Skeezer65134 05:50, 20 October 2005 (GMT)
• You may want to change Windows XP security policy to allow for regular users access: run "Start/Control Panel/Administrative Tools/Local Security Policy/Local Policies/Security Options/Network access: sharing and security model ...: Classic..." Then, you must have an existing _local_ user on the Windows XP machine.
• Samba client cannot authenticate, possible bad password error: You may run into odd errors authenticating if Samba and the server (Windows or Samba) do not agree on whether to use LANMAN, NTLM, or NTLMv2. If this happens, you may receive a NT_STATUS_LOGON_FAILURE with Samba, and the server will have a Bad Password error (0xC000006A in the Windows Security log). By default (December 2006 on a Gentoo machine), Samba has NTLM and LANMAN authentication enabled, but NTLMv2 is disabled. If the server is set to allow only NTLMv2, then you will fail. This setting is the infamous lmcompatibilitylevel key in HKLM\System\CurrentControlSet\Control\Lsa. When set to 5, the server will only accept NTLMv2 responses (client requests, server challenges, client responds). To allow Samba to send an NTLMv2 response, edit smb.conf's global section and add

     client ntlmv2 auth = yes

This will also disable NTLM and LANMAN auth, so if you have trouble accessing older machines' shares, then you may have issues. It is recommend to disable LANMAN auth as well. It is known to be very weak. To do so:

     client lanman auth = no

Read the man page for smb.conf for more information.

• Error returning browse list: NT_STATUS_OK: Probably, you will get this error messages. You can set HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous to 1 in you windows server, and then reboot to take effect. See http://forums.gentoo.org/viewtopic-t-390046-highlight-ntstatusok.html

• You can login with smbclient or smb:// in konqueror, but attempting to use mount-cifs yields:

mount error: could not find target server. TCP name <SERVER>/<SHARE> not found
No ip address specified and hostname not found

Apparently mount.cifs has limited name resolution capabilities. try using

nmblookup <SERVER>

To get the IP address and user that instead of <SERVER>.

• Konqueror says the smb:// protocol is not supported: Recompile kde-base/kdebase-kioslaves with the samba USE flag.

[edit] Server

[edit] USE Flags

The Samba package is extremely customizable; below are descriptions of the many possible USE flags:

• acl - Enable Access Control List support. The ACL support in Samba uses a patched ext2/ext3, or SGI's XFS in order to function properly as it extends more detailed access to files or directories; much more so than typical *nix GID/UID schemas.
• ads - Enable Active Directory support.
• async - Enables Kernel Asynchronous I/O support.
• automount - Enable automount support.
• caps - Enables File POSIX Capabilities, this needs SECURITY_FILE_CAPABILITIES enabled in your kernel to work.
• cups - Enable Common Unix Printing System CUPS support. This provides an interface allowing local CUPS printers to be shared to other systems in the network.
• debug - Build with debugging information.
• doc - Install documentation.
• examples - Install examples.
• fam - Enable File Alteration Monitor support.
• ipv6 - Enable IPv6 support.
• ldap - Enables the Lightweight Directory Access Protocol. Enable this if you intend to use Active Directory or if you need to login, through Samba, too a Domain/Active Directory Server.
• oav - Build the samba-vscan (OpenAntiVirus) module. This provides on-access scanning of Samba shares via supported anti-virus programs.
• pam - Enable PAM support. This provides the ability to authenticate users on the Samba Server, which is required if users have to login to your server.
• python - Build the samba-python module. This provides an API that will allow Python to interface with Samba.
• quotas - Enable disk-quota support.
• readline - Enable sys-libs/readline support, a GNU line-editing library. This is highly recommended and should probably not be disabled.
• selinux - Enable SELinux support. This requieres use of the selinux profile.
• swat - Enable the Samba Web Administration Tool.
• syslog - Enable SYSLOG support. This enables Samba to do logging through the system logger.
• winbind - Enable WinBind support. This allows for a unified logon within a Samba environment. It uses a Unix implementation of Windows RPC calls, PAM and the name service switch (supported by the c library) to enable Windows NT domain users to appear and work as Unix users on a Unix system.

[edit] Emerge

Install net-fs/samba with:

[edit] Configuration

The configuration file for the Samba server is /etc/samba/smb.conf In the beginning of file (in global section) you'll see the following:

[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
   workgroup = WORKGROUP
   netbios name = LINUXBOX

# server string is the equivalent of the NT Description field
   server string = Lets dance samba

# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the HOWTO Collection for details.
   security = share

# Unix users can map to different SMB User names
   username map = /etc/samba/smbusers

"Netbios name" is your computer name (usually same as your hostname). "Workgroup" is your workgroup. "Server string" is description of the samba server. Make security = share if you want to share files without password. Easy for making anonymous access. (NOTE: Alternatively set security = user and specify a local user that would own the share. See below on how to add local_user). Set username map if you want to use aliases, otherwise they will not be accessible.

[edit] Requiring Authentication For Your Samba Shares

If you are interested in requiring your remote users to log into the share and protecting it with a password, you should set an alias for guest. This is because Windows (XP Pro in my case at least) uses the username "Guest" as the default login with the share security level. Do this as follows:

  guest account = local_user

The problem is that this will only work for authenticating 1 user. See the next topic for user-based access control.

[edit] Per-User Access Control

To authenticate users individually, set up your smb.conf file like this:

[global]
   workgroup = MSHOME
   security = user

[homes]
   valid users = %S
   read only = no
   browseable = no

(Note that this is a complete file, you don't have to include everything shown above, but you can if you want.)

The [homes] section creates a share for each user who logs in that gives them access to their home directory. For example, if john is logged into the server, he'd see a share named john with the contents of his home directory. This section is optional, but convenient.

Now you have to add users to samba's authentication database. Once you've created a local user account for the user:

add their account to the samba database:

Now continue with creating shares if you need more than home directories shared.

[edit] Logging

Make a particular directory for samba log files. And set maximum log size, because we don't want to be flooded with huge logs.

  log file = /var/log/smb/samba.%m
  max log size = 50

Now proceed in the file and find this part:

1. Browser Control Options:
2. set local master to no if you don't want Samba to become a master
3. browser on your network. Otherwise the normal election rules apply
4. local master = yes

If you don't want windows users to blame you, change option local master to "no" and uncomment the line. With this option = yes your linux box and windows hosts will argue about local master browser rights on your LAN. Make this change:

  local master = no

If you'd like to share your printers over samba (assuming your printers are running under a cups server), you need to add the following lines somewhere in the global section:

1. added for remote printer use over samba

printcap name = cups disable spoolss = Yes show add printer wizard = No printing = cups

This will require that the remote machines install the drivers for the printer locally. In the case of Windows machines, you will need to install the drivers first and then connect to the share over the network.

[edit] Adding a Share

Sharing on Linux is as simple as on a Windows box. Just go to the end of smb.conf and add this: Code: Sharing directories with Samba

[public]
        comment = shared
        path = /mnt/public
        guest ok = yes
        browseable = yes

Make neccessary changes, where "comment" is your share comment, "path" is your shared directory path and "public" is your shared directory name. This will allow users on your network to connect to this share with access rights of user nobody.

If you are interested in using user authentication, you need to specify what users may access this share. Change the above to look like this: Code: Sharing directories with user access control with Samba

[public]
        comment = shared
        path = /mnt/public
        valid users = local_user
        guest ok = no
        browseable = yes

This will allow a remote machine to connect to the samba share by logging in as local_user and entering the correct password. Note that we use the 'guest account = local_user' above in the global configuration. Again, Windows will default to logging in as Guest, and you will not be able to change this (actually you can. Go into user management, and on the left pane, you will have an option to change network passwords, add the proper name there.), so the above makes a nice work-around.

If you want to give write permissions to your samba users, just add writable = yes, as follows (make sure that permissions in those directories you are offering are right. If not, use chmod, of course):

[public]
        comment = shared
        path = /mnt/public
        valid users = local_user
        guest ok = no
        browseable = yes
        writable = yes

Perhaps you want a share that is public but only writable by some persons (in this case the group "users" and the user "fathergoat"), this can be achieved like this:

[public]
        comment = shared
        path = /path/to/your/share
        public = yes
        writable = no
        write list = @users fathergoat

[edit] Adding Printers

To add all local printers that connect via the CUPS server, add something like this:

[printers]
        comment = All Printers
        path = /var/spool/samba
        printer admin = root, local_user
        create mask = 0600
        guest ok = Yes
        printable = Yes
        use client driver = Yes
        browseable = No

This will list ALL of your local CUPS printers and list them based on their names and descriptions as defined in the CUPS configuration. Once again, the local machine connecting to the printer over samba will need to install the drivers first for it to work.

[edit] Starting Samba

Don't forget you need to start your Samba server before you can set the user's Samba password. Code: Starting Samba

 * Caching service dependencies ...                                       [ ok ]
 * samba -> start: smbd ...                                               [ ok ]
 * samba -> start: nmbd ...                                               [ ok ]

[edit] Adding a Valid User

For user access control, please note that you MUST specify a password for local_user using smbpasswd. The reason being that the user must also exist in /etc/samba/smbusers AND be a valid user on the computer running the samba server for Samba to have enough information to go through with authentication. Code: Setting samba user passwords

New SMB password: <type password>
Reenter smb password: <type password again>
Added user local_user.

local_user = local_user

Note that the second name you enter can be a separate alias for local_user to log in to the samba share. More clearly, the name to the right of the = can be anything and will be used to log into the samba share. The Linux username to the left of the = must match the "valid user" statement in the share's definition. This means, in the case of the example below, that you can use username 'dozebox' to login to all the shares the "valid user" 'smb_remote' has access to. Code: Using Aliases in smbusers

local_user = local_user smb_remote = jim dozebox smb_admin = admin administrator backup

In this example five additional samba login names are aliasing two system user names. In Samba 3.0.22 you must specify the location of smbusers in smb.conf or aliases will not be able to log in.

Tip: User names must not be equal with the NetBIOS Name of your PC. For instance, smb://Fenix@FENIX/ will result in an error. Starting Samba on Boot

To start samba on boot, add it to the default runlevel by running: rc-update add samba default

[edit] GUI administration

If you are like me, lazy and prefer not to write the smb.conf file from scratch then you are in luck. SWAT

Lets call in the swat team. Samba offers a web page interface that will allow you to do just that. It is very similar to cups web interface. You will need to have xinetd installed on your machine as well as samba, installed with the swat USE flag.

By default xinetd services are disabled and you must turn them on. I didn't realize this and kept restarting samba/xinetd because I was getting a connection refused every time I pointed my browser to the port swat was supposed to be on. This was a WTF moment as I cursed at my box trying to figure out why swat was not starting and why I kept getting a connection refused message in the browser. So lets edit the xinetd and swat service config files.

The following configurations will limit everything to the local network. (Zeroes are considered wildcards, 10.0.0.0 is Class A private subnet network access, 192.168.0.0 is Class B; i.e. if your IP address is 192.168.5.10 this value should be as shown below or 192.168.5.0 to provide access.)

...
only_from = 192.168.0.0
...

service swat 
{ 
        port            = 901 
        socket_type     = stream 
        protocol        = tcp
        wait            = no 
        only_from       = 192.168.0.0
        user            = root 
        server          = /usr/sbin/swat 
        log_on_failure += USERID 
        disable         = no
}

By default disable may be set to "yes" make sure it is set to "no". You can modify the only_from line to allow machines besides the localhost to connect to this service if you wish. With Swat/Samba-3.0.22 you have to set "only_from 0.0.0.0" to allow any host. Deleting this line will deny any connection. I wouldn't recomend this but a good firewall and other security measures can make this a bit safer. You may also want to change the port number as well. Now that the config file has been changed let's start the service.

If all went well you should now be able to start the swat browser interface. Just enter http://localhost:901 as the url in your browser. You should be prompted for your username and password. To change the configuration you must enter root information, normal user info will only allow limited access. If that worked, you should now be able to create a smb.conf file on the fly using swat. The one thing I find handy about swat is the fact that most option entries have help links to help figure out what you need to do. Happy Swatting - GreyParrot(2/14/06)

[edit] Troubleshooting

• Remember: running swat requires an existing /etc/samba/smb.conf file - if you just emerged samba copy the example conf:

• Make sure you have the 'swat' USE flag enabled when you emerge newer versions of samba (3.0.22), to enable support for swat.
• If you go to http://localhost:901 in your browser, and it fails to log you in, even though you've given the correct password, try this in a terminal:

This command is not available if you upgraded to samba >= 3.4.6!

Then set your samba root passwd. Now log in using this password.

• session setup failed: NT_STATUS_LOGON_FAILURE, check that you set the username map = variable in smb.conf correctly.

[edit] KDE Control Center

Alternatively, if you fancy KDE, there is a samba interface which will edit your smb.conf file, add shares, and configure anything you like. The program is part of kde-base/Kcontrol