Monday, August 2, 2010

Linux Samba

For complete information on Samba see the SMB HOWTO. Also refer to the the smb.conf(5), smbd(8), smbclient(1), smbpasswd(5), smbpasswd(8), and testparm(1) man pages. You may access the howtos from one of the weblinks listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies if these howtos.
You will want to perform the following steps according to the instructions below to set up samba services on your computer.
  1. Set up your Windows based computers for file and print sharing if you want to access your windows computers from Linux.
  2. Decide whether to run Samba through the inetd internet super daemon or through the startup scripts. Running using the startup scripts is recommended for better reliability.
  3. Edit the /etc/services file to be sure the port services are enabled.
  4. Edit the /etc/smb.conf file with encrypted passwords enabled to work with most modern Windows versions.
  5. Add any users as desired to the /etc/smbusers file
  6. Optionally add hostnames to /etc/lmhosts.
  7. Set up your samba users passwords with the "smbpasswd -a username" command.
  8. Start or restart Samba services. When running Sambaservices through the startup scripts it can be done in Redhat using the linuxconf program. On other systems it may be done with one or more of the following commands:
    • samba start - Starts samba.
    • /etc/re.d/init.d/smb start - Starts samba.
    • samba restart - Restarts samba.
    • /etc/re.d/init.d/smb restart - Restarts samba.
    If using inetd to run Samba services, restart/start sambawith the command "killall -HUP inetd".

Check your /usr/doc directory for a directory like "samba-2.0.5a". Enter this directory with the command "cd /usr/doc/samba-2.0.5a". There is a docs and a samples directory at this location. There is a sample smb.conf file in the samples directory called smb.conf.default. Use this file to start your /etc/smb.conf file if you don't have one. Modify it for your workgroup name, remove the comment from the line "encrypt passwords = yes" and set up your share definitions as you need.

Configuring Windows

Configuring windows 95 for sharing: (If you want to be able to browse your windows computer from Linux)
  1. Right click on "network neighborhood" and click "properties"
  2. Under configuration make sure you have "Client for Microsoft Networks", your ethernet card driver and TCP/IP
  3. Select "Client for Microsoft Networks"
  4. Select "File and Print Sharing" and turn on file and printer access, enter a password to use
  5. Select Add?

Setting up the service method

There are two ways to run samba services. You can run them as a deamon, using the system startup scripts or use the internet super daemon, "inetd". You must choose one way or the other, you cannot run the service both ways. I recommend using the startup scripts since the service seems less reliable through inetd.
  1. To run as a startup service, if you are using Redhat Linux, you may run "linuxconf" and go to "Control", then "Control panel", then "Control service activity", select "smb" and set it to enabled and running. You will also need to be sure the "/etc/services" file is set up for the named ports below, along with setting up the "/etc/smb.conf", "/etc/smbusers", and possibly the "/etc/lmhosts" files below.
  2. To run on request through inetd, Put these lines in /etc/inedt.conf:
    # Other services
        netbios-ssn stream tcp nowait root /usr/sbin/tcpd /usr/sbin/smbd
        netbios-ns dgram udp wait root /usr/sbin/tcpd  /usr/sbin/nmbd \

Setting up the services

Configure ports for NetBIOS name, datagram, and session services by being sure of existence of (or adding) the following lines in the /etc/services file:
netbios-ns 137/tcp    # NETBIOS Name Service
 netbios-ns 137/udp
 netbios-dgm 138/tcp    # NETBIOS Datagram Service
 netbios-dgm 138/udp
 netbios-ssn 139/tcp    # NETBIOS session service

 netbios-ssn 139/udp

Setting up the Samba configuration file

Edit the Samba configuration file "/etc/smb.conf" to provide suitable services. You should be able to get a file to start with from /usr/doc/samba-x.x.x/examples/smb.conf.default, you can copy it to /etc/smb.conf and use an editor to modify it.

This is the samba file I use: Note: you can use swat (described below) to configure this file.
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too

# many!) most of which are not shown in this example
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you

# may wish to enable
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not many any basic syntactic errors. 
#======================= Global Settings =====================================


# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = mygroup
# This allows you to get around a problem in WIN95, it is also needed
# for OS/2 clients.  You should definitely have this line enabled if

# you want to be able to just drop your GNU/Linux machine into an existing
# WIN95-only network.
   lm announce = yes  #important for WIN95 and OS/2 machines
# server string is the equivalent of the NT Description field

   server string = Samba Server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and

# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
#   hosts deny = ALL
#   hosts allow = 

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   printcap name = /etc/printcap
   load printers = yes
# It should not be necessary to spell out the print system type unless

# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
;   printing = bsd
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used

;  guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Security mode. Most people will want user level security. See
# security_level.txt for details.
   security = user
# Use password server option only with security = server
;   password server = &#60NT-Server-Name&#62

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
;  password level = 8
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.

# Do not enable this option unless you have read those documents
encrypt passwords = yes
smb passwd file = /etc/smbpasswd
# The following are needed to allow password changing from Windows to
# update the Linux sytsem password also.

# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
#        the encrypted SMB passwords. They allow the Unix password

#        to be kept in sync with the SMB password.
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n

# Unix users can map to different SMB User names
  username map = /etc/smbusers
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name

# of the machine that is connecting
;   include = /etc/smb.conf.%m
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
   socket options = TCP_NODELAY

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
interfaces = 

# Configure remote browse list synchronisation here
#  request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
;   remote browse sync =

# Cause this host to announce itself to local subnets here
; remote announce =

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
;   local master = no
# OS Level determines the precedence of this server in master browser

# elections. The default value should be reasonable
;   os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this

# if you already have a Windows NT domain controller doing this job
;   domain master = yes 
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election

;   preferred master = yes
# Use only if you have an NT server on your network that has been
# configured at install time to be a primary domain controller.
;   domain controller = &#60NT-Domain-Controller-SMBName&#62

# Enable this if you want Samba to be a domain logon server for 
# Windows95 workstations. 
;   domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)

;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username

#        You must uncomment the [Profiles] share below
;   logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server

   wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on

# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
;   wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names

# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = no 
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis

;  preserve case = no
;  short preserve case = no
# Default case is normally upper case for all DOS files
;  default case = lower
# Be very careful with case sensitivity - it can break things!
;  case sensitive = no

  admin users = root
  dead time=15
  hide dot files = yes
  max connections = 10
  share modes = yes
  guest account = nobody
  browseable = yes
;  invalid users = root
#============================ Share Definitions ==============================

   comment = Home Directories
   browseable = no
   writeable = yes
   public = no
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]

;   comment = Network Logon Service
;   path = /home/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no

# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory

;    path = /home/profiles
;    browseable = no
;    guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to 
# specifically define each individual printer

   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes
# This one is useful for people to share files

   comment = Temporary file space
   path = /tmp
   read only = no
   public = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group

   comment = Public Stuff
   path = /home/public
   public = yes
   writable = yes
   printable = no
;   write list = @staff
# Other examples. 
# A private printer, usable only by fred. Spool data will be placed in fred's

# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;   comment = Fred's Printer
;   valid users = fred
;   path = /homes/fred
;   printer = freds_printer

;   public = no
;   writable = no
;   printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;   comment = Fred's Service

;   path = /usr/somewhere/private
;   valid users = fred
;   public = no
;   writable = yes
;   printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could

# also use the %u option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;  comment = PC Directories
;  path = /usr/pc/%m
;  public = no
;  writable = yes

# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this

# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;   path = /usr/somewhere/else/public
;   public = yes

;   only guest = yes
;   writable = yes
;   printable = no
# The following two entries show how to share a directory so that two 
# users can put files there that will be owned by specific users. In this
# setup, the directory should be writable by both users & have the sticky

# bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;   comment = Mary's and Fred's stuff
;   path = /usr/somewhere/shared
;   valid users = mary fred

;   public = no
;   writable = yes
;   printable = no
;   create mask = 0765

  comment = Samba server's CD-ROM
  writable = no
  locking = no
  path = mnt/cdrom
  public = no

  root preexec = /bin/mount /mnt/cdrom
  root postexec = /bin/umount /mnt/cdrom

  comment = Linux setup files in /etc
  public = no
  writeable = yes
  path = /etc
  read only = yes
  valid users = george mark

  comment = [Samba server's Floppy Drive
  browseable = yes
  writeable = yes
  path = /mnt/floppy
  public = no
  root preexec = /bin/mount /dev/fd0 /mnt/floppy
  root postexec = /bin/umount /mnt/floppy

  • The section that allows unix passwords to be synced withsamba passwords does not seem to work. This may be because I use shadow passwords.
  • To customize samba setups from various machines use the "include = /etc/smb.conf.%m" line.
  • To make passwords be sent over the network in encrypted form:
    1. In the /etc/smb.conf file add or uncomment the lines:
      encrypt passwords = yes
        smb password file = /etc/smbpasswd
    2. Type "smbpasswd -a user" then enter the desired passwords
    Note: If you are not using shadow passwords, there is a way to convert to secure passwords without users knowing it. The command "cat /etc/passwd | > /etc/smbpasswd" will create a smbpasswd file. However if you are using shadow passwords (which you should be), the /etc/passwd file does not contain the required information to setup the password file and you must still have each user modify their passwords or do it from root with the "smbpasswd -a username" command. Read the documentation in /usr/doc/samba-x.x.x/docs/textdocs/ENCRYPTION.txt. Be sure your smbpasswd file is only readable and writable by the root user.
  • Note: Be sure alias is off so hosts can't fool your machine by aliasing their names.
    To deny all hosts access except those you specify use the following example under [global]:
    hosts deny = ALL
      hosts allow =
If you deny hosts, be sure you know what you are doing! The way Microsoft networking works is that a master browser is picked based on an election process from all computers that are running Windows networking. If you deny access to the master browser, you may be unable to browse the network for your computer. Therefore, unless you know what computer will be the master browser and backup browser that you will use for browsing, it may be unwise to use this feature.

The smbusers file

Edit the /etc/smbusers file to map your machine names to unix users names:
The following file is an example I use:
# Unix_name = SMB_name1 SMB_name2 ...
root = windoze1 windoze2
nobody = guest pcguest smbguest
mark = windoze3
In this case anyone logging in from machines windoze1 or 2 will be mapped as user "root".

The lmhosts file

You may want to edit the /etc/lmhosts file depending on how you are providing your samba name services, Below is an example: localhost mymachine george
This file may be used by the system to get IP addresses from host names. It may not be necessary for you to configure this file. You may need it if you do not have a DNS server available or your DNS server is not configured properly. If you get a message like "Resource is unavailable" you should try creating this file.

Upon completion

You will need to issue the following commands to complete the setup of Samba services:
  1. Enter the users' passwords with the command "smbpasswd -a user". This command is used to enter passwords for your users and is required for each user if you are using encrypted passwords which should be the case.
  2. If running the startup daemons, use one of the following choices of "samba restart", "samba start", "/etc/rc.d/init.d/smb restart", or "/etc/rc.d/init.d/smb start". Don't forget to set your startup services in Redhat's linuxconf program to run Samba services the next time you boot your system.
  3. If running Samba from inetd, start it with "killall -HUP inetd".
Examples of commands you may need or want to use
testparm |more
To see the results of your changes. May have to restart inetd (below)
smbpasswd -a user
To set samba passwords. See the smbpasswd(8) man page for more information.
samba restart
To restart the Samba services when running through the startup scripts. This allows changes to take effect. You can use the command start, stop, or status to start, stop, or see the status of the service, respectively.
/etc/rc.d/init.d/smb restart
The same as the Samba restart command, but this command directly invokes the Samba startup script.
smbclient -L mymachine
To tell what services are running under samba
Used to mount volumes from windows machines
killall -HUP inetd
To restart the inetd daemon and therefore allow new settings for this daemon or any subdaemon to be implemented. You will use this command, only if you run Sambausing the inetd daemon.

Common Pitfalls

Many times those setting up Samba services will either have trouble browsing for their computer on the network or logging in. Below I have listed some possible reasons for these problems and what you should check:
  • Unable to browse:
    1. Check to be sure the name of your workgroup is correct in the /etc/smb.conf file with the statement "workgroup = mygroup".
    2. Check to be sure the line "browseable = yes" is included in the [global] section of /etc/smb.conf.
    3. You may need to set up the lmhosts file if you do not have a DNS server or your DNS server is not configured with your samba server IP address and name.
    4. Type "ps -ax |grep smb" and you should see a line like "784 ? S 0:00 smbd -D". If you don't your services are not running and you should start them.
    5. If you are attempting to run Samba services from inetd using the inetd.conf file, run Sambaas a startup service and see if that fixes the problem.
  • Unable to login with the system producing a message saying the password is incorrect.
    1. Check the log files in the /var/log/sambadirectory. First look for a file "log.machinename" where machinename is the name of the machine you are logging in from. You can "cat log.machinename" or use less or more to see the file.
    2. Be sure your user mapping is correct.
      1. Be sure the line "username map = /etc/smbusers" is included in the /etc/smb.conf file. Also check the log.smb file
      2. Be sure the file /etc/smbusers file contain line(s) like "unixuser = windozemachine1 windozemachine2 winuser1 winuser2 ...". The unix user is normally the name of the equivalent user you want to log in as such as root. I always put the machine name and all windows users names in the file to be sure that if the login is by machine name or Windows user name, it will be translated to a unix user name. Normally it is Windows user name. You will find out by examining the file "log.machinename".
    3. Be sure you are logging in using encrypted passwords from both the Linux and windows sides.
      1. Be sure the lines "encrypt passwords = yes" and "smb passwd file = /etc/smbpasswd" are in the /etc/smb.conf file and are not commented out with a ';' or '#' character in front of the line.
      2. Be sure you have added the users you are trying to log in as with the "smbpasswd -a user" command where user is the name of the Linux user you want to log in as. For instance the command is "smbpasswd -a root" to set the password up for the root user.
      3. Be sure Windows 95 is sending encrypted passwords. There is an upgrade patch for Windows 95 from Microsoft to make this change. This is only necessary for old versions of Windows 95. Windows 98, NT, 2K all send encrypted passwords by default. Therefore unless you are using one of the first versions of Windows 95 that came out, you should not have this problem.
Be sure you restart Samba every time you make a change to the /etc/smb.conf file to put your changes into effect.

Mounting and getting windows files from Linux aftersamba is installed

There are two programs supporting file services from windows:
  1. smbmount - Allows a shared directory on a windows machine to be mounted on the Linux machine.
  2. smbclient - Works similar to an ftp client enabling the user to transfer files
smbmount //winhost/windows /mnt/name_windows -c mylinuxmachine
This command mounts the directory "windows" on the windows computer "winhost" on the machine named "mylinuxmachine". The directory "windows" must have sharing enabled for this to work. To unmount:
smbumount /mnt/name_windows
The smbclient program works with the following syntax:
smbclient //winmachine/dirsharename -s /etc/smb.conf
The winmachine is the NetBIOS name of the serving machine with the shared resource on it.
The dirsharename is the share name of the directory
The "-s /etc/smb.conf" indicates the path of the sambaconfiguration file.
After entering the above command you will get a password prompt. If no password is required, press "return", otherwise enter the required password. Upon successful login you can look at the directory with the "dir" command. Below are some available commands:
  • dir - directory
  • get remotefile localfile
  • cd - Change directory
  • exit, q, or quit - To exit the program
  • help - for help information
  • mkdir - make directory
See the man page on smbclient for a full set of commands. Note: I've had trouble getting this program to work with windozeNT.

Some notes on the smb.conf file format

Variables as found in the smb.conf file are as follows:
  • %a - The architecture of the client machine such asSamba, WfWg, WinNT, Win95
  • %d - The PID of the server process.
  • %g - The group ID of the service's username (The name the client got)
  • %G - The group ID of the session requested username
  • %h - The internet (DNS) samba server host name.
  • %H - The user's home directory.
  • %I - The client machine's IP address.
  • %L - The NetBIOS server name
  • %m - The NetBIOS client name
  • %M - The internet (DNS) client host name.
  • %n - .
  • %N - NIS home directory server name.
  • %p - The path of the service's home directory from NIS
  • %P - The current services' root directory.
  • %R - The protocol level. CORE, COREPLUS, LANMAN1, LANMAN2, or NT1.
  • %S - The name of the current service.
  • %T - The current data and time.
  • %u - The client's username
  • %U - The username the client wanted.
  • %v - Samba version number.
There are many global and service parameters defined in the smb.conf file. Read the man page on smb.conf for a complete list. Here is a list of a few global parameters:
  • auto services - Directories automatically visible to all users browsing the network.
  • bind interfaces only - Limits the interfaces to serve sambarequests.
  • deadtime - The timeout for inactive connections
  • debug level - The level of messages for logging.
  • default service - The service to be connected if the service requested cannot be found. EX:
    default service = docs
    [docs]  path= /%S
  • directory mask - Octal file settings used to convert DOS modes to UNIX modes when creating directories.
  • directory security mask - Controls file permissions that can be modified by windows clients.
  • dns proxy - Specifies that the nmbd daemon if running as WINS server, should should treat unknown names as DNS names and do a DNS lookup.
  • lock directory - The path of the directory where lock files are stored.
  • message command - Samba's command to run in response to WinPopup messages.
  • name resolve order - The query order for resolution of name to IP addresses. Values are bcast, hosts, wins and lmhosts.
  • netbios aliases - Other names the samba server is called and will answer to.
  • netbios name - The samba server's netbios name.
  • smb passwd file - The path for the encrypted Sambapassword file.
  • smbrun - The path of the smbrun program used to execute shell commands for the samba daemon.
  • socket address - Controls the address on which Sambawill listen for connections.
  • syslog - Sets the threshold for sending messages to syslog
  • syslog only - Use syslog rather than samba log files

SWAT configuration

SWAT allows an administrator to configure the smb.conf file using a web browser. To use it you need to do the following:
  1. Add the following line to your /etc/services file:
    swat 901/tcp  # Swat Samba configuration services
  2. Add the following line to your /etc/inted.conf file
    swat      stream  tcp     nowait.400      root /usr/sbin/swat swat
  3. Type "killall -HUP inetd" to reload the inetd.conf file.
  4. On your local machine, address your web browser tohttp://localhost:901/
  5. If you connect over the network through a remote machine you should know that your password will be sent in the clear.
  6. SWAT will rewrite your smb.conf file and remove comments. Back up your smb.conf file before using SWAT.
For more information on NetBIOS, WINS, SMB, and NBNS (NetBIOS Name Server) read "The CTDP Networking Guide".