Samba Notes

From Free Knowledge Base- The DUCK Project: information for everyone
Revision as of 10:49, 27 February 2014 by Admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Samba has evolved over the years from the original SMB Server to present day CIFS. Linux CIFS Utils and Samba are both used to accomplish the same thing, with the latter having expanded resources for compatibility and contemporary networking.

For current documentation see: Linux CIFS Utils and Samba

For legacy Samba (SMB) usage see the documentation below:

__   _
  -o)/ /  (_)__  __ ____  __      Derek Winterstien
  /\\ /__/ / _ \/ // /\ \/ /      r.o.a.c.h.@.r.o.b.o.t.z...c.o.m
 _\_v __/_/_//_/\_,_/ /_/\_\

        -----------------------
       [[[[[ Samba Notes ]]]]]
        ~~~~~~~~~~~~~~~~~~~~~~~

-> How to add an NT machine into the linux samba server which is the PDC 
   (Primary Domain Controller) for the Micro$oft network.
   
   syntax:  adduser {computer name}$ -M -u {uid}
            smbpasswd -a -m {computer name}
   
   example: adduser garfield$ -M -u 501
            smbpasswd -a -m garfield
   
   * you must include the '$' string character when adding the machine name to
     the passwd file.
   * do not include the string character when adding the machine name to the
     smbpasswd file.
   * the -a switch indicates to 'add' to the smbpasswd file while the -m 
     switch tells samba you are adding a machine and not a human user.
   
-> How to add a new domain user into he linux samba server so that he/she may
   be a member of the NT domain.
   
   syntax:  adduser -u {uid} {username}
            passwd -u {username} -f
            passwd {username}
            smbpasswd -a {username}
   
   example: adduser -u 1001 britney
            passwd -u britney -f
            passwd britney
            smbpasswd -a britney
   
   * the second step may not be necessary but is recommended for some versions 
     of samba as it prevents certain password related problems.
   * the username is added to the passwd file without the '$' string character
     because it is only necessary to use that character when adding machines
     to the NT domain.
   * the final step adds the new user into the smbpasswd file.

-> Net logon script and how to automatically map clients to network drives

   In smb.conf there needs to be a section that looks something like this:

 [netlogon]
   comment = Network Logon Service
   path = /home/netlogon
   guest ok = yes
   write list = @adm

   The write list is only necessary allowing a group of users to modify
   policies and/or the netlogon batch file.  The file logon.bat is used
   as the logon script which can automatically map network drives.

   In logon.bat (/home/netlogon/logon.bat) use the following example:

   net use h: /home
   net use i: \\myserver\public
   net use m: \\myserver\mailYou have new mail in /var/spool/mail/root
  
   Where 'myserver' is the netbios name of the *workgroup or domain server.
   *netlogon services in domain under public viewable mode
   
-> Prevent Samba from chaning filename case and case mangling

   Include the following in /etc/samba/smb.conf under the Global Parameters:

   preserve case = Yes
   short preserve case = Yes
   mangle case = No

        --------------------------------------
       [[[[[ MS WINDOWS SHARES & ACCESS ]]]]]
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-> Mount Windows share to Linux workstation

smbmount //NETBIOSNAME/sharename /home/linuxuser/mnt/NETBIOSNAME/sharename -o
username=winlogon%winpassword,fmask=644,dmask=755,uid=xxxx,gid=x,ip=10.10.x.x,debug=0

   xxxx is the user id of the linuxuser
   10.10.x.x is the IP address of the ms windows computer with the name
NETBIOSNAME   

   To use smbmount as a user (not root) you need to suid it to root

   chown root smbmnt; chmod u+s smbmnt

        --------------------------------------
       [[[[[ SHARE ACCESS & PERMISSIONS ]]]]]
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-> Directory and File Permissions
   how windows reacts to linux file permissions on a samba share

      :     :
   Files:...:.................................................................
      :     :  
      :     :     open/read?   rename/del?  save/write?
   0  :     :     no
   1  :   x :     no
   2  :  w  :     no
   3  :  wx :     no
  (4) : r   :     yes          yes          no
   5  : r x :     yes          yes          no
  (6) : rw  :     yes          yes          yes
   7  : rwx :     yes          yes          yes
      :     :
   Directorys:................................................................
      :     :
      :     :     open?   see?    read?   write?
   0  :     :     no      n/a     no      n/a
   1  :   x :     yes     no      no      no
   2  :  w  :     no      n/a     no      n/a
   3  :  wx :     no      n/a     no      n/a
   4  : r   :     yes     no      no      no
  (5) : r x :     yes     yes     yes     no
   6  : rw  :     yes     no      no      no
  (7) : rwx :     yes     yes     yes     yes
      :     :
      :     :  open? = can open folder?   read? = open file in folder
      :     :  see?  = can see contents?  write? = rename/write file/folder
   ...:.....:.................................................................
      :     :

read only = no -> By default Samba will always make any directory read only.
          Setting to 'no' tells samba to allow the creation of directories.

browseable = no -> home directory share browseable only by user. The share
          will be invisible in network neighborhood.

browseable = yes -> directory visable in network neighborhood.

public = yes -> Anyone can browse and access contents of a directory share

write list = username1, username2 -> only these people can delete and add
          files while everyone else can only view and execute files.

It is possible to use only Linux file permissions to manage Samba share
access.  Here is an example:

        create mask = 0674
        force create mode = 0664
        directory mask = 0775

The example above creates a share everyone can see, but only members of a
special group may delete/rename/write files and folders.

   recommendation:

   [homes]
        create mask = 0620
        directory mask = 0710

When using Linux file permissions to control Samba users note that the user
permissions for a file override group permissions for the file.  This is not a
system of most permissive, but of user permission is more important than
group.

These specific parameters control read and write access to files and
directories as an alternative to strictly using 'force mask' with Linux file
permissions only:
  
  available = YES default, if NO share ***visible but not accessable
            ***samba doc incorrect, share will not even be visible if NO (no 
            list seems to override this option, not even valid users or users)
  browsable = YES default, if NO share is invisible in network neighborhood
            but still accessable by entering absolute network path. *useful*
  inherit permissions = NO default, if yes subdirectories are created with the
            same permissions as their parent directories. Overrides create
            mask, directory mask, force create mode, and force directory mode.
  invalid users = username1, username2  list of users denied access to share.
  only user = NO default, if YES users of share must be in the list specified
            by the user option
  public = NO default, if YES no password needed to access share
  read list = username1, username2 list of users read-only access to share
  read only = NO default, if YES share is read-only
  valid users = username1, username2 list of users allowed access to share.
  writable = YES default, if NO same as read only = YES
  write list = username1, username2, list of users write access to share.
 
note:  Samba never sets the setuid bit when creating a file or directory.

samba parameters -vs- file permissions
--------------------------------------
*deny overrides allow in all cases 
*samba parameters override user and group name
*all must agree to allow before allowed

so,
if the file permissions say deny and samba says allow = deny
if the file permissions say allow and samba says deny = deny
if the file permissions say allow and samba says allow = allow

example: lazygirl owns the linux folder 'share' and has rwx file permissions
in her username.  lazygirl is also in the @admin group which is the group
owner of the folder share.  However, under [share] is the parameter invalid
users = lazygirl along with write list = @admin ..... the result is that
lazygirl is still denied access.  Security first, deny overrides allow.


-> use 'testparm' to check your smb.conf file before starting the samba
   server.

-> Upgraded from 2.x.x to 3.0.x and user access to home dir denied

   Replace the parameter "valid users" with "users" under [homes].  The
   valid users parameter will cause tree connect failed:
NT_STATUS_ACCESS_DENIED
   in versions 3.0.x and above.

   one approach:
   Files created will have group assigned to file of group associated with
   user that created the file from /etc/passwd.  Always assign the most
   permissive group to the user in the passwd file.  Disadvantage is that
   files created in a public share by an administrative user will have the
   administrative user group assigned, preventing full access from anyone else 
   in the public share, which defeats the point of a public share.
   another approach:
   set rwx with file permissions and control user access though Samba with
   Samba parameters.  This works great until you give users shell access.
   perhaps the best approach:
   set all users in passwd to 'users' group so created files and directories
   are always 'users' group.  Use a combination of group Linux file permisions
   set appropriately with Samba read and write lists to lock down your file
   server security from both aspects.

   best: use a combination of Linux file permissions and Samba parameters.

        ----------------------------------
        [[[[[ SAMBA SHARE PARAMETERS ]]]]]
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

List of parameters used in share definitions [sharename] ... parameter1 ...
parameter2 ... parameter3 ...
..............................................................................
admin users            :
allow hosts            :
available              :
blocking locks         :  
browsable              :
browseable             : (same as browsable)
comment                : user comment
copy                   : 
create mask            : max allowable permissions for new file
create mode            : (same as create mask)
default case           : new filename case UPPER/LOWER
delete readonly        : 
delete share command   :
deny hosts             :
directory              :
directory mask         : max allowable permissions for new directory
directory mode         : (same as directory mask)
directory security mask:
dont descend           :
dos filemode           :
dos filetime resolution:
dos filetimes          :
exec                   :
fake directory create t: imes: bug fix for users of Microsoft nmake 
follow symlinks        :
force create mode      : forces creat mask on files
force directory mode   : forces directory mask on directories
force directory securit: y mode:  
force group            : user 'becomes' member of this group when in share 
force security mode    : 
force user             : user 'becomes' someone else when in share
group                  :
guest account          : default is 'nobody'
guest ok               : (same as public YES)
guest only             : 
hide dot files         : .files on linux appear +h to windows user
hide files             : list of files in share to appear to have +h set
hide unreadable        : 
hosts allow            : 
hosts deny             : 
include                :
inherit acls           :
inherit permissions    :
invalid users          :
level2 oplocks         :
locking                :
machine password timeou: t:
magic output           :
magic script           :
mangle case            : mangles a filename if of mixed case
mangled names          : abbrev to DOS 8.3 names that are too long/unsupported
mangling char          :
map archive            :
map hidden             :
map system             :
max connections        :
msdfs root             :
only guest             :
only user              : users must be in list, default NO 
path                   : 
pid directory          :
postexec               :
preexec                :
preload                :
preserve case          :
print ok               :
public                 : default NO, if YES no password need for share 
read list              : 
read only              : 
root postexec          :
root preexec           :
root preexec close     :
security mask          : requires ny acl support = YES
set directory          : 
share modes            : 
short preserve case    : 
strict allocate        :
strict locking         :
strict sync            :
sync always            :
use sendfile           :
user                   : (same as username)
users                  : username list or %s
username               : (same as users, for share-level security)
valid chars            :
valid users            :
volumn string          : 
wide links             :
writable               : 
writeable              : (same as writable)
write ok               :
write cache size       :
write list             : users or groups with write permission for share
write raw              :
.......................:......................................................

Here is a complete list of all Samba parameters (we are aware of):

abort shutdown script, add printer command, add machine script, 
add share command, add user script, admin users, ads server, 
algorithmic rid base, allow hosts, allow trusted domains, announce as, 
announce version, auth methods, auto services, available, 
bind interfaces only, block size, blocking locks, browsable, 
browse list, browseable, case sensitive, casesignames, 
change notify timeout, change share command, character set, 
client code page, code page directory, coding system, comment, 
config file, copy, create mask, create mode, csc policy, deadtime, 
debug hires timestamp, debug pid, debug timestamp, debug uid, 
debuglevel, default, default case, default devmode, default service, 
delete printer command, delete readonly, delete share command, 
delete user script, delete veto files, deny hosts, dfree command, 
directory, directory mask, directory mode, directory security mask, 
disable spools, dns proxy, domain admin group, domain guest group, 
domain logons, domain master, dont descend, dos filemode, 
dos filetime resolution, dos filetimes, encrypt passwords, 
enhanced browsing, enumports command, exec, 
fake directory create times, fake oplocks, follow symlinks, 
force create mode, force directory mode, 
force directory security mode, force group, force security mode, 
force unknown acl user, force user, fstype, getwd cache, group, 
guest account, guest ok, guest only, hide dot files, hide files, 
hide local users, hide unreadable, homedir map, host msdfs, 
hosts allow, hosts deny, hosts equiv, include, inherit acls, 
inherit permissions, interfaces, invalid users, keepalive, 
kernel oplocks, lanman auth, large readwrite, ldap admin dn, 
ldap filter, ldap port, ldap server, ldap ssl, ldap suffix, 
level2 oplocks, lm announce, lm interval, load printers, local master, 
lock dir, lock directory, lock spin count, lock spin time, locking, 
log file, log level, logon drive, logon home, logon path, 
logon script, lppause command, lpq cache time, lpq command, 
lpresume command, lprm command, machine password timeout, 
magic output, magic script, mangle case, mangled map, mangled names, 
mangled stack, mangling char, mangling method, map archive, 
map hidden, map system, map to guest, max connections, max disk size, 
max log size, max mux, max open files, max print jobs, max protocol, 
max smbd processes, max ttl, max wins ttl, max xmit, message command, 
min passwd length, min password length, min print space, min protocol, 
min wins ttl, msdfs root, name resolve order, netbios aliases, 
netbios name, netbios scope, nis homedir, non unix account range, 
nt acl support, nt pipe support, nt smb support, nt status support, 
null passwords, obey pam restrictions, only guest, only user, 
oplock break wait time, oplock contention limit, oplocks, os level, 
os2 driver map, pam password change, panic action, passdb backend, 
passwd chat, passwd chat debug, passwd program, password level, 
password server, path, pid directory, posix locking, postexec, 
postscript, preexec, preexec close, preferred master, prefered master, 
preload, preserve case, printable, printcap name, print command, 
printer, printer admin, printer driver, printer driver file, 
printer driver location, printer name, printing, print ok, 
private directory, protocol, public, queuepause command, 
queueresume command, read bmpx, read list, read only, read raw, 
read size, realm, remote announce, remote browse sync, 
restrict anonymous, root, root dir, root directory, root postexec, 
root preexec, root preexec close, security, security mask, 
server string, set directory, share modes, short preserve case, 
show add printer wizard, shutdown script, smb passwd file, 
socket address, socket options, source environment, ssl, 
ssl CA certDir, ssl CA certFile, ssl ciphers, ssl client cert, 
ssl client key, ssl compatibility, ssl hosts, ssl hosts resign, 
ssl require clientcert, ssl require servercert, ssl server cert, 
ssl server key, ssl version, stat cache, stat cache size, status, 
strict allocate, strict locking, strict sync, strip dot, sync always, 
syslog, syslog only, template homedir, template shell, time offset, 
time server, timestamp logs, total print jobs, unix extensions, 
unix password sync, update encrypted, use client driver, use mmap, 
use rhosts, use sendfile, user, username, username level, 
username map, users, utmp, utmp directory, valid chars, valid users, 
veto files, veto oplock files, vfs object, vfs options, volume, 
wide links, winbind cache time, winbind enum users, 
winbind enum groups, winbind gid, winbind separator, winbind uid, 
wins hook, wins proxy, wins server, wins support, workgroup, writable, 
writeable, write cache size, write list, write ok, write raw 

        ---------------------------
        [[[[[ SMBCLIENT USAGE ]]]]]
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~

command: smbclient -L //servername -U username

   Produces a list of all server shares after prompting user for the password.

command: smbclient -L //servername -U username%password

   Produces a list of all server shares without password prompt.

command: smbclient //servername/sharename -U username%password

   Opens a connection to the share on a server.  This is useful for testing 
   samba or accessing a windows share from a linux terminal.

   note:  for 'sharename' when accessing a samba server use the share's name
   defined in smb.conf such as [sharename] not the actual directory path on
   the server drive "ie: /home/net.sharename".

        ---------------------------
        [[[[[ SAMPLE SMB CONF ]]]]]
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sample for version 3.x.x stand alone server (not PDC) workgroup server.
Small office network with 192.168.1.x /24 lan Samba is wins server.

[global]
        workgroup = WORKGROUPNAME
        server string = File Server
        interfaces = eth0
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
        unix password sync = Yes
        log file = /var/log/samba/%m.log
        max log size = 100
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add user script = /usr/sbin/useradd -g 100 -d /dev/null -s /bin/False
%u
        logon script = %U.bat
        logon path = \\%L\Profiles\%U
        os level = 64
        preferred master = Yes
        domain master = No
        dns proxy = No
        wins support = Yes
        admin users = administrator
        hosts allow = 192.168.1., 127.
        printing = cups

[homes]
        comment = Home Directories
        users = %S
        read only = No
        create mask = 0620
        directory mask = 0710
        browseable = No

[Profiles]
        path = /home/profiles
        read only = No
        browseable = No

[printers]
        comment = All Printers
        path = /home/smbprint
        guest ok = Yes
        printable = Yes
        browseable = No

[tmp]
        comment = Temporary file space
        path = /tmp
        read only = No
        guest ok = Yes
        create mask = 0664
        force create mode = 0664
        directory mask = 0774

[share]
        comment = Public Share
        path = /home/share
        read only = No
        guest ok = Yes
        write list = @users
        create mask = 0664
        force create mode = 0664
        directory mask = 0775

[secret]
        comment = Hidden Restricted
        path = /usr/local/share
        browsable = NO
        only user = YES
        public = NO
        read list = @secret
        write list = @secret
        users = @secret
        valid users = @secret
        force group = secret
        create mask = 0660
        force create mode = 0060
        directory mask = 0770



 

Archivedhansolocarbonite140.png
Carbonite Page: This page is an archived entry and should not be modified. Information on this page may be out of date, however, still useful. An example is data for legacy systems or outdated technologies that are still being used by some, such as Vacuum Tube bogey values, analog broadcast television frequencies or MS-DOS 6.22 commands. Although outdated, this information will not change or evolve any further. Certain archived pages on the D.U.C.K. Wiki have been imported from our older ANSI BBS system and other storage mediums previously used. These pages are kept unmodified for archival purposes.