Samba Notes
From Free Knowledge Base- The DUCK Project: information for everyone
Samba has evolved over the years from the original SMB Server to present day CIFS. Linux CIFS Utils and Samba are both used to accomplish the same thing, with the latter having expanded resources for compatibility and contemporary networking.
For current documentation see: Linux CIFS Utils and Samba
For legacy Samba (SMB) usage see the documentation below:
__ _
-o)/ / (_)__ __ ____ __ Derek Winterstien
/\\ /__/ / _ \/ // /\ \/ / r.o.a.c.h.@.r.o.b.o.t.z...c.o.m
_\_v __/_/_//_/\_,_/ /_/\_\
-----------------------
[[[[[ Samba Notes ]]]]]
~~~~~~~~~~~~~~~~~~~~~~~
-> How to add an NT machine into the linux samba server which is the PDC
(Primary Domain Controller) for the Micro$oft network.
syntax: adduser {computer name}$ -M -u {uid}
smbpasswd -a -m {computer name}
example: adduser garfield$ -M -u 501
smbpasswd -a -m garfield
* you must include the '$' string character when adding the machine name to
the passwd file.
* do not include the string character when adding the machine name to the
smbpasswd file.
* the -a switch indicates to 'add' to the smbpasswd file while the -m
switch tells samba you are adding a machine and not a human user.
-> How to add a new domain user into he linux samba server so that he/she may
be a member of the NT domain.
syntax: adduser -u {uid} {username}
passwd -u {username} -f
passwd {username}
smbpasswd -a {username}
example: adduser -u 1001 britney
passwd -u britney -f
passwd britney
smbpasswd -a britney
* the second step may not be necessary but is recommended for some versions
of samba as it prevents certain password related problems.
* the username is added to the passwd file without the '$' string character
because it is only necessary to use that character when adding machines
to the NT domain.
* the final step adds the new user into the smbpasswd file.
-> Net logon script and how to automatically map clients to network drives
In smb.conf there needs to be a section that looks something like this:
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
write list = @adm
The write list is only necessary allowing a group of users to modify
policies and/or the netlogon batch file. The file logon.bat is used
as the logon script which can automatically map network drives.
In logon.bat (/home/netlogon/logon.bat) use the following example:
net use h: /home
net use i: \\myserver\public
net use m: \\myserver\mailYou have new mail in /var/spool/mail/root
Where 'myserver' is the netbios name of the *workgroup or domain server.
*netlogon services in domain under public viewable mode
-> Prevent Samba from chaning filename case and case mangling
Include the following in /etc/samba/smb.conf under the Global Parameters:
preserve case = Yes
short preserve case = Yes
mangle case = No
--------------------------------------
[[[[[ MS WINDOWS SHARES & ACCESS ]]]]]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-> Mount Windows share to Linux workstation
smbmount //NETBIOSNAME/sharename /home/linuxuser/mnt/NETBIOSNAME/sharename -o
username=winlogon%winpassword,fmask=644,dmask=755,uid=xxxx,gid=x,ip=10.10.x.x,debug=0
xxxx is the user id of the linuxuser
10.10.x.x is the IP address of the ms windows computer with the name
NETBIOSNAME
To use smbmount as a user (not root) you need to suid it to root
chown root smbmnt; chmod u+s smbmnt
--------------------------------------
[[[[[ SHARE ACCESS & PERMISSIONS ]]]]]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-> Directory and File Permissions
how windows reacts to linux file permissions on a samba share
: :
Files:...:.................................................................
: :
: : open/read? rename/del? save/write?
0 : : no
1 : x : no
2 : w : no
3 : wx : no
(4) : r : yes yes no
5 : r x : yes yes no
(6) : rw : yes yes yes
7 : rwx : yes yes yes
: :
Directorys:................................................................
: :
: : open? see? read? write?
0 : : no n/a no n/a
1 : x : yes no no no
2 : w : no n/a no n/a
3 : wx : no n/a no n/a
4 : r : yes no no no
(5) : r x : yes yes yes no
6 : rw : yes no no no
(7) : rwx : yes yes yes yes
: :
: : open? = can open folder? read? = open file in folder
: : see? = can see contents? write? = rename/write file/folder
...:.....:.................................................................
: :
read only = no -> By default Samba will always make any directory read only.
Setting to 'no' tells samba to allow the creation of directories.
browseable = no -> home directory share browseable only by user. The share
will be invisible in network neighborhood.
browseable = yes -> directory visable in network neighborhood.
public = yes -> Anyone can browse and access contents of a directory share
write list = username1, username2 -> only these people can delete and add
files while everyone else can only view and execute files.
It is possible to use only Linux file permissions to manage Samba share
access. Here is an example:
create mask = 0674
force create mode = 0664
directory mask = 0775
The example above creates a share everyone can see, but only members of a
special group may delete/rename/write files and folders.
recommendation:
[homes]
create mask = 0620
directory mask = 0710
When using Linux file permissions to control Samba users note that the user
permissions for a file override group permissions for the file. This is not a
system of most permissive, but of user permission is more important than
group.
These specific parameters control read and write access to files and
directories as an alternative to strictly using 'force mask' with Linux file
permissions only:
available = YES default, if NO share ***visible but not accessable
***samba doc incorrect, share will not even be visible if NO (no
list seems to override this option, not even valid users or users)
browsable = YES default, if NO share is invisible in network neighborhood
but still accessable by entering absolute network path. *useful*
inherit permissions = NO default, if yes subdirectories are created with the
same permissions as their parent directories. Overrides create
mask, directory mask, force create mode, and force directory mode.
invalid users = username1, username2 list of users denied access to share.
only user = NO default, if YES users of share must be in the list specified
by the user option
public = NO default, if YES no password needed to access share
read list = username1, username2 list of users read-only access to share
read only = NO default, if YES share is read-only
valid users = username1, username2 list of users allowed access to share.
writable = YES default, if NO same as read only = YES
write list = username1, username2, list of users write access to share.
note: Samba never sets the setuid bit when creating a file or directory.
samba parameters -vs- file permissions
--------------------------------------
*deny overrides allow in all cases
*samba parameters override user and group name
*all must agree to allow before allowed
so,
if the file permissions say deny and samba says allow = deny
if the file permissions say allow and samba says deny = deny
if the file permissions say allow and samba says allow = allow
example: lazygirl owns the linux folder 'share' and has rwx file permissions
in her username. lazygirl is also in the @admin group which is the group
owner of the folder share. However, under [share] is the parameter invalid
users = lazygirl along with write list = @admin ..... the result is that
lazygirl is still denied access. Security first, deny overrides allow.
-> use 'testparm' to check your smb.conf file before starting the samba
server.
-> Upgraded from 2.x.x to 3.0.x and user access to home dir denied
Replace the parameter "valid users" with "users" under [homes]. The
valid users parameter will cause tree connect failed:
NT_STATUS_ACCESS_DENIED
in versions 3.0.x and above.
one approach:
Files created will have group assigned to file of group associated with
user that created the file from /etc/passwd. Always assign the most
permissive group to the user in the passwd file. Disadvantage is that
files created in a public share by an administrative user will have the
administrative user group assigned, preventing full access from anyone else
in the public share, which defeats the point of a public share.
another approach:
set rwx with file permissions and control user access though Samba with
Samba parameters. This works great until you give users shell access.
perhaps the best approach:
set all users in passwd to 'users' group so created files and directories
are always 'users' group. Use a combination of group Linux file permisions
set appropriately with Samba read and write lists to lock down your file
server security from both aspects.
best: use a combination of Linux file permissions and Samba parameters.
----------------------------------
[[[[[ SAMBA SHARE PARAMETERS ]]]]]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
List of parameters used in share definitions [sharename] ... parameter1 ...
parameter2 ... parameter3 ...
..............................................................................
admin users :
allow hosts :
available :
blocking locks :
browsable :
browseable : (same as browsable)
comment : user comment
copy :
create mask : max allowable permissions for new file
create mode : (same as create mask)
default case : new filename case UPPER/LOWER
delete readonly :
delete share command :
deny hosts :
directory :
directory mask : max allowable permissions for new directory
directory mode : (same as directory mask)
directory security mask:
dont descend :
dos filemode :
dos filetime resolution:
dos filetimes :
exec :
fake directory create t: imes: bug fix for users of Microsoft nmake
follow symlinks :
force create mode : forces creat mask on files
force directory mode : forces directory mask on directories
force directory securit: y mode:
force group : user 'becomes' member of this group when in share
force security mode :
force user : user 'becomes' someone else when in share
group :
guest account : default is 'nobody'
guest ok : (same as public YES)
guest only :
hide dot files : .files on linux appear +h to windows user
hide files : list of files in share to appear to have +h set
hide unreadable :
hosts allow :
hosts deny :
include :
inherit acls :
inherit permissions :
invalid users :
level2 oplocks :
locking :
machine password timeou: t:
magic output :
magic script :
mangle case : mangles a filename if of mixed case
mangled names : abbrev to DOS 8.3 names that are too long/unsupported
mangling char :
map archive :
map hidden :
map system :
max connections :
msdfs root :
only guest :
only user : users must be in list, default NO
path :
pid directory :
postexec :
preexec :
preload :
preserve case :
print ok :
public : default NO, if YES no password need for share
read list :
read only :
root postexec :
root preexec :
root preexec close :
security mask : requires ny acl support = YES
set directory :
share modes :
short preserve case :
strict allocate :
strict locking :
strict sync :
sync always :
use sendfile :
user : (same as username)
users : username list or %s
username : (same as users, for share-level security)
valid chars :
valid users :
volumn string :
wide links :
writable :
writeable : (same as writable)
write ok :
write cache size :
write list : users or groups with write permission for share
write raw :
.......................:......................................................
Here is a complete list of all Samba parameters (we are aware of):
abort shutdown script, add printer command, add machine script,
add share command, add user script, admin users, ads server,
algorithmic rid base, allow hosts, allow trusted domains, announce as,
announce version, auth methods, auto services, available,
bind interfaces only, block size, blocking locks, browsable,
browse list, browseable, case sensitive, casesignames,
change notify timeout, change share command, character set,
client code page, code page directory, coding system, comment,
config file, copy, create mask, create mode, csc policy, deadtime,
debug hires timestamp, debug pid, debug timestamp, debug uid,
debuglevel, default, default case, default devmode, default service,
delete printer command, delete readonly, delete share command,
delete user script, delete veto files, deny hosts, dfree command,
directory, directory mask, directory mode, directory security mask,
disable spools, dns proxy, domain admin group, domain guest group,
domain logons, domain master, dont descend, dos filemode,
dos filetime resolution, dos filetimes, encrypt passwords,
enhanced browsing, enumports command, exec,
fake directory create times, fake oplocks, follow symlinks,
force create mode, force directory mode,
force directory security mode, force group, force security mode,
force unknown acl user, force user, fstype, getwd cache, group,
guest account, guest ok, guest only, hide dot files, hide files,
hide local users, hide unreadable, homedir map, host msdfs,
hosts allow, hosts deny, hosts equiv, include, inherit acls,
inherit permissions, interfaces, invalid users, keepalive,
kernel oplocks, lanman auth, large readwrite, ldap admin dn,
ldap filter, ldap port, ldap server, ldap ssl, ldap suffix,
level2 oplocks, lm announce, lm interval, load printers, local master,
lock dir, lock directory, lock spin count, lock spin time, locking,
log file, log level, logon drive, logon home, logon path,
logon script, lppause command, lpq cache time, lpq command,
lpresume command, lprm command, machine password timeout,
magic output, magic script, mangle case, mangled map, mangled names,
mangled stack, mangling char, mangling method, map archive,
map hidden, map system, map to guest, max connections, max disk size,
max log size, max mux, max open files, max print jobs, max protocol,
max smbd processes, max ttl, max wins ttl, max xmit, message command,
min passwd length, min password length, min print space, min protocol,
min wins ttl, msdfs root, name resolve order, netbios aliases,
netbios name, netbios scope, nis homedir, non unix account range,
nt acl support, nt pipe support, nt smb support, nt status support,
null passwords, obey pam restrictions, only guest, only user,
oplock break wait time, oplock contention limit, oplocks, os level,
os2 driver map, pam password change, panic action, passdb backend,
passwd chat, passwd chat debug, passwd program, password level,
password server, path, pid directory, posix locking, postexec,
postscript, preexec, preexec close, preferred master, prefered master,
preload, preserve case, printable, printcap name, print command,
printer, printer admin, printer driver, printer driver file,
printer driver location, printer name, printing, print ok,
private directory, protocol, public, queuepause command,
queueresume command, read bmpx, read list, read only, read raw,
read size, realm, remote announce, remote browse sync,
restrict anonymous, root, root dir, root directory, root postexec,
root preexec, root preexec close, security, security mask,
server string, set directory, share modes, short preserve case,
show add printer wizard, shutdown script, smb passwd file,
socket address, socket options, source environment, ssl,
ssl CA certDir, ssl CA certFile, ssl ciphers, ssl client cert,
ssl client key, ssl compatibility, ssl hosts, ssl hosts resign,
ssl require clientcert, ssl require servercert, ssl server cert,
ssl server key, ssl version, stat cache, stat cache size, status,
strict allocate, strict locking, strict sync, strip dot, sync always,
syslog, syslog only, template homedir, template shell, time offset,
time server, timestamp logs, total print jobs, unix extensions,
unix password sync, update encrypted, use client driver, use mmap,
use rhosts, use sendfile, user, username, username level,
username map, users, utmp, utmp directory, valid chars, valid users,
veto files, veto oplock files, vfs object, vfs options, volume,
wide links, winbind cache time, winbind enum users,
winbind enum groups, winbind gid, winbind separator, winbind uid,
wins hook, wins proxy, wins server, wins support, workgroup, writable,
writeable, write cache size, write list, write ok, write raw
---------------------------
[[[[[ SMBCLIENT USAGE ]]]]]
~~~~~~~~~~~~~~~~~~~~~~~~~~~
command: smbclient -L //servername -U username
Produces a list of all server shares after prompting user for the password.
command: smbclient -L //servername -U username%password
Produces a list of all server shares without password prompt.
command: smbclient //servername/sharename -U username%password
Opens a connection to the share on a server. This is useful for testing
samba or accessing a windows share from a linux terminal.
note: for 'sharename' when accessing a samba server use the share's name
defined in smb.conf such as [sharename] not the actual directory path on
the server drive "ie: /home/net.sharename".
---------------------------
[[[[[ SAMPLE SMB CONF ]]]]]
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sample for version 3.x.x stand alone server (not PDC) workgroup server.
Small office network with 192.168.1.x /24 lan Samba is wins server.
[global]
workgroup = WORKGROUPNAME
server string = File Server
interfaces = eth0
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -g 100 -d /dev/null -s /bin/False
%u
logon script = %U.bat
logon path = \\%L\Profiles\%U
os level = 64
preferred master = Yes
domain master = No
dns proxy = No
wins support = Yes
admin users = administrator
hosts allow = 192.168.1., 127.
printing = cups
[homes]
comment = Home Directories
users = %S
read only = No
create mask = 0620
directory mask = 0710
browseable = No
[Profiles]
path = /home/profiles
read only = No
browseable = No
[printers]
comment = All Printers
path = /home/smbprint
guest ok = Yes
printable = Yes
browseable = No
[tmp]
comment = Temporary file space
path = /tmp
read only = No
guest ok = Yes
create mask = 0664
force create mode = 0664
directory mask = 0774
[share]
comment = Public Share
path = /home/share
read only = No
guest ok = Yes
write list = @users
create mask = 0664
force create mode = 0664
directory mask = 0775
[secret]
comment = Hidden Restricted
path = /usr/local/share
browsable = NO
only user = YES
public = NO
read list = @secret
write list = @secret
users = @secret
valid users = @secret
force group = secret
create mask = 0660
force create mode = 0060
directory mask = 0770
 |
