|Last modified: 27-02-2020|
Introduction to Samba
Samba is an open-source implementation of the SMB/CIFS protocol that Microsoft uses to connect hosts to share drives and printers.
If you want to log who does what on the Samba server, each Windows user must have their own Linux account. To share a directory or printer on a Linux server with Windows users, you must first create accounts on the Linux host (No need to provide a login shell if the user will only interact with the server through Samba), then use smbpasswd (or pdbedit) to add their password to the Samba password database (since password hashing in Linux and Windows aren't compatible), edit smb.conf to share a directory, and finally check Unix file access rights on that directory to make sure Samba and Windows users can work with it as planned. Samba can further restrict access rights, but cannot add more than those set by Unix.
Generally speaking, remember that Samba is just a layer on top of Unix: This means that things must be configured right both in Samba and Unix (user accounts, file access rights).
Things to know:
Ubuntu (11.04) offers several packages to install Samba. Note that "samba" refers implicitely to Samba 3, while samba4 refers to... Samba 4.
Here are the Samba 3 packages:
Here's to install Samba:
[root@sip asterisk]# yum search samba
WINS, /etc/hosts, DNS
Domain master browser
Local master browser
To let 1) Windows users who log onto their computer without a password 2) connect to a Samba share without typing a password either, here's the smb.conf you can use. This is a very insecure solution since all users will connect and work with the Unix account "nobody", but it can be appropriate for a home solution:
This requires first adding a user + password in /etc/passwd and a matching account in the Samba database (smbpass -a jdoe); This user account + password must match the one in Windows so that the user isn't prompted when trying to connect to a Samba share:
As root, run smbpasswd -r MYPDC. To specify a user account different from root, use the -U option
The Samba documentation mentions a add_user script that lets Samba create user accounts on the fly when a new NT user connects to Samba, but I haven't found a trace of it in the 2.0.7-x RPM package that I installed.
I haven't tried it yet, but the following could work:
add user script = /usr/sbin/useradd %u. With security=( server | domain), Samba does not store a copy of user passwords; it forwards the authentication step to a DC. So, I guess you can leave those dynamicall-created accounts with no password, and not worry about running passwd or smbpasswd.
To authenticate users against NT DCs, set password server = MYPDC, MYBDC. Alternatively, set password server = * to tell Samba to find DCs itself (by querying a WINS server or other means, and look for MYDOMAIN<1C> resources.)
Here's how to configure Samba so it will only accept connections from certain IPs:
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
hosts deny = 0.0.0.0/0
password server = MYPDC MYBDC. If MYPDC cannot be resolved, check that NetBIOS name resolving works.
smbpasswd -J MYDOMAIN
Samba 2.0.x can act as PDC only to NT4 clients. If you have Windows2000 clients, you'll have to use Samba 2.2.x or the forked branch Samba TNG ("The New Generation.") As of June 2001, I have only tested the 2.2.x version, which seems to work.
Haven't tried yet. http://www.ibiblio.org/pub/packages/samba/docs/htmldocs/winbind.html
[global] printing = BSD print command = /usr/bin/lpr -r %s printcap file = /etc/printcap [printers] path = /var/spool/printer printable = true guest ok = true guest account = pcguest [printer1] printable = yes printer = lp read only = yes guest ok = yesIf you create a share named [printers] in the configuration file, Samba will automatically read in your printer capabilities file and create a printing share for each printer that appears in the file. Second, try the command testprns printername. This is a simple program that verifies that the specified printer is available in your printcap file. If your printcap file is not in the usual place, you can specify its full pathname as the second argument to the testprns command: # testprns lp /etc/printcap Looking for printer lp in printcap file /etc/printcap Printer name lp is valid. Just like NT, Samba can send the ad hoc printer driver the first time a user installs the printer on his Windows client. This is to avoid having each user run the Printer Wizard on his Windows client:
The best solution is to set up the Samba server to handle encrypted passwords by adding "encrypt password=yes" in smb.conf, and managing encrypted passwords, either by converting hashed passwords from /etc/shadow into /etc/smbpasswd when using security=[ share | user ] (which is a better solution than having users set their Unix password into /etc/shadow by using the standard passwd command, and then adding their password a second time in the /etc/smbpasswd Samba password file by running the smbpasswd command), or by delegating authentication to an NT server (security = [ server | domain ].
Another, less-satisfactory solution is to force those Windows hosts to send the user's password in clear-text. For this, edit the following key in the Registry:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\VNETSUP] " EnablePlainTextPassword"=dword:00000001
unix password sync = yes passwd program = /usr/bin/passwd %uNote: Make sure you use the correct path to
Each subnet runs a Local Master Browser. Those lists are uploaded to a Domain Master Browser, which Local Master Browsers queries to download a complete, up-to-date list of hosts available. For synchronization to occur, use
remote announce = . If your network has several sub-nets (and routers do not forward broadcasts), you must have a host acting as WINS server so that clients can resolve their NetBIOS name into IP addresses.
Note that an NT PDC will always be the Domain Master Browser for a domain, so it's not a good idea to set a Samba server to become one (ie. do not use domain master = yes if an NT PDC is available in your domain.)
To allow the Samba to participate in the election to become the Local Master Browser, set
local master = yes. Although not recommended, if you want Samba to win against NT Servers, set os level = 65.
(CHECK) To find out which host is the Local Master Browser (ie. registered resource __MSBROWSE__ <01> for the domain), run
#nmblookup SIMPLE#01 .
(CHECK) To find out which host is the Domain Master Browser (ie. registered resource <1B> for the domain), run
#nmblookup SIMPLE#1B .
Note that in a Windows 2000 environment, browsing has been replaced with Active Directory, and has been kept only for backwards compatibility.
smbclient $host -U test%tttttttt-R wins -L
message command = csh -c ´xedit %s;rm %s´ &. To send an instant message to an SMB host, run
smbclient -M REMOTEHOST, type your message, followed by CTRL-D.
for host in `cat ./hosts.txt` do smbtar -s $host -u test%tttttttt -x backup -d / -t /dev/tape -v *.c *.cpp *.h done
#!/bin/bash #------- Remove old log files if [ -f ./log.txt ] then mv ./log.txt ./log.txt.prev fi if [ -f ./log.err.txt ] then mv ./log.err.txt ./log.err.txt.prev fi exec >./log.txt 2>./log.err.txt #----------- Start copying if [ ! -d ./AcmeBackup ] then mkdir ./AcmeBackup fi cd ./AcmeBackup for host in `cat ../acme.txt` do if [ ! -d ./$host ] then mkdir ./$host fi cd ./$host echo Started backing up $host at `date` smbclient //$host/backup -U BackupExec%password -R wins << EOF > /dev/null prompt off recurse mask *.c mget * mask *.cpp mget * mask *.h mget * exit EOF echo Back up of $host ended at `date` cd .. done
# systemctl disable samba-ad-dc
# systemctl enable samba nmbd.service smbd.service
Don't know which does the trick, but this works:
force create mode = 0644
create mask = 0664
security mask = 0664
force security mode = 0664
"readonly=no" and "writ(e)able=yes" mean the same thing.
Likewise for "guest ok = yes" and "public = yes".
Just add those two lines to enable anyone to read/write files in a share without being prompted for a login/password:
If the server will not handle printers, add "printing = bsd" and "printcap name = /dev/null" to get rid of this warning in the log:
After adding a second Samba server on the same LAN with no browser-related settings, I reconfigured the second host thusly:
... and the first host thusly:
Reload nmbd on the new domain/local master and check that it won the election.
Just run "/etc/init.d/smbd start" and "/etc/init.d/nmbd start", followed by "ps aux | grep mbd" to check
It's not possible, as Samba must bind to priviledged ports anyway. Also, Samba must run as root so it can change the Euid of the process to perform some operations.
Running Samba as chroot is a good way to run Samba securely.
;reason to handle unknown user
;other possible reasons: never, bad password, bad uid
map to guest = bad user
;allow guest account
guest ok = yes
;which guest account to use instead
guest account = smbguest
Samba-TNG is a fork of Samba that occured in 2000, but seems to have not achieved much.
Likewise is a dual-licensed that lets a Unix server be part of a Windows Active Directory and thus, delegates authentication. Apparently, it also includes a full alternative to Samba as SMB/CIFS server.
[global]section, and add
Voilà! User jdoe has an account on the Samba server (/etc/password), an MD5-hashed password (/etc/shadow), and his password is also available in Samba's database /etc/smbpasswd to keep Windows happy.
security=share is deprecated anyway.
As root, run smbpasswd -x w2kclient$
Open a DOS box, and run "net use \\mylinux\ipc$ /user:jdoe", where jdoe is the user account that you created above
Open a DOS box, and run "net use x: \\mylinux\jdoe". If you are not logged on as user jdoe on the Windows host, run "net use x: \\mylinux\jdoe /user:jdoe", and type jdoe's password as entered when you ran smbpasswd to create this user's encrypted password
net use x: /d
On a host running Samba, type nmblookup -M - (or nmblookup -M MYDOMAIN)