Samba Notes
From Free Knowledge Base- The DUCK Project: information for everyone
Samba has evolved over the years from the original SMB Server to present day CIFS. Linux CIFS Utils and Samba are both used to accomplish the same thing, with the latter having expanded resources for compatibility and contemporary networking.
For current documentation see: Linux CIFS Utils and Samba
For legacy Samba (SMB) usage see the documentation below:
__ _ -o)/ / (_)__ __ ____ __ Derek Winterstien /\\ /__/ / _ \/ // /\ \/ / r.o.a.c.h.@.r.o.b.o.t.z...c.o.m _\_v __/_/_//_/\_,_/ /_/\_\ ----------------------- [[[[[ Samba Notes ]]]]] ~~~~~~~~~~~~~~~~~~~~~~~ -> How to add an NT machine into the linux samba server which is the PDC (Primary Domain Controller) for the Micro$oft network. syntax: adduser {computer name}$ -M -u {uid} smbpasswd -a -m {computer name} example: adduser garfield$ -M -u 501 smbpasswd -a -m garfield * you must include the '$' string character when adding the machine name to the passwd file. * do not include the string character when adding the machine name to the smbpasswd file. * the -a switch indicates to 'add' to the smbpasswd file while the -m switch tells samba you are adding a machine and not a human user. -> How to add a new domain user into he linux samba server so that he/she may be a member of the NT domain. syntax: adduser -u {uid} {username} passwd -u {username} -f passwd {username} smbpasswd -a {username} example: adduser -u 1001 britney passwd -u britney -f passwd britney smbpasswd -a britney * the second step may not be necessary but is recommended for some versions of samba as it prevents certain password related problems. * the username is added to the passwd file without the '$' string character because it is only necessary to use that character when adding machines to the NT domain. * the final step adds the new user into the smbpasswd file. -> Net logon script and how to automatically map clients to network drives In smb.conf there needs to be a section that looks something like this: [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes write list = @adm The write list is only necessary allowing a group of users to modify policies and/or the netlogon batch file. The file logon.bat is used as the logon script which can automatically map network drives. In logon.bat (/home/netlogon/logon.bat) use the following example: net use h: /home net use i: \\myserver\public net use m: \\myserver\mailYou have new mail in /var/spool/mail/root Where 'myserver' is the netbios name of the *workgroup or domain server. *netlogon services in domain under public viewable mode -> Prevent Samba from chaning filename case and case mangling Include the following in /etc/samba/smb.conf under the Global Parameters: preserve case = Yes short preserve case = Yes mangle case = No -------------------------------------- [[[[[ MS WINDOWS SHARES & ACCESS ]]]]] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -> Mount Windows share to Linux workstation smbmount //NETBIOSNAME/sharename /home/linuxuser/mnt/NETBIOSNAME/sharename -o username=winlogon%winpassword,fmask=644,dmask=755,uid=xxxx,gid=x,ip=10.10.x.x,debug=0 xxxx is the user id of the linuxuser 10.10.x.x is the IP address of the ms windows computer with the name NETBIOSNAME To use smbmount as a user (not root) you need to suid it to root chown root smbmnt; chmod u+s smbmnt -------------------------------------- [[[[[ SHARE ACCESS & PERMISSIONS ]]]]] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -> Directory and File Permissions how windows reacts to linux file permissions on a samba share : : Files:...:................................................................. : : : : open/read? rename/del? save/write? 0 : : no 1 : x : no 2 : w : no 3 : wx : no (4) : r : yes yes no 5 : r x : yes yes no (6) : rw : yes yes yes 7 : rwx : yes yes yes : : Directorys:................................................................ : : : : open? see? read? write? 0 : : no n/a no n/a 1 : x : yes no no no 2 : w : no n/a no n/a 3 : wx : no n/a no n/a 4 : r : yes no no no (5) : r x : yes yes yes no 6 : rw : yes no no no (7) : rwx : yes yes yes yes : : : : open? = can open folder? read? = open file in folder : : see? = can see contents? write? = rename/write file/folder ...:.....:................................................................. : : read only = no -> By default Samba will always make any directory read only. Setting to 'no' tells samba to allow the creation of directories. browseable = no -> home directory share browseable only by user. The share will be invisible in network neighborhood. browseable = yes -> directory visable in network neighborhood. public = yes -> Anyone can browse and access contents of a directory share write list = username1, username2 -> only these people can delete and add files while everyone else can only view and execute files. It is possible to use only Linux file permissions to manage Samba share access. Here is an example: create mask = 0674 force create mode = 0664 directory mask = 0775 The example above creates a share everyone can see, but only members of a special group may delete/rename/write files and folders. recommendation: [homes] create mask = 0620 directory mask = 0710 When using Linux file permissions to control Samba users note that the user permissions for a file override group permissions for the file. This is not a system of most permissive, but of user permission is more important than group. These specific parameters control read and write access to files and directories as an alternative to strictly using 'force mask' with Linux file permissions only: available = YES default, if NO share ***visible but not accessable ***samba doc incorrect, share will not even be visible if NO (no list seems to override this option, not even valid users or users) browsable = YES default, if NO share is invisible in network neighborhood but still accessable by entering absolute network path. *useful* inherit permissions = NO default, if yes subdirectories are created with the same permissions as their parent directories. Overrides create mask, directory mask, force create mode, and force directory mode. invalid users = username1, username2 list of users denied access to share. only user = NO default, if YES users of share must be in the list specified by the user option public = NO default, if YES no password needed to access share read list = username1, username2 list of users read-only access to share read only = NO default, if YES share is read-only valid users = username1, username2 list of users allowed access to share. writable = YES default, if NO same as read only = YES write list = username1, username2, list of users write access to share. note: Samba never sets the setuid bit when creating a file or directory. samba parameters -vs- file permissions -------------------------------------- *deny overrides allow in all cases *samba parameters override user and group name *all must agree to allow before allowed so, if the file permissions say deny and samba says allow = deny if the file permissions say allow and samba says deny = deny if the file permissions say allow and samba says allow = allow example: lazygirl owns the linux folder 'share' and has rwx file permissions in her username. lazygirl is also in the @admin group which is the group owner of the folder share. However, under [share] is the parameter invalid users = lazygirl along with write list = @admin ..... the result is that lazygirl is still denied access. Security first, deny overrides allow. -> use 'testparm' to check your smb.conf file before starting the samba server. -> Upgraded from 2.x.x to 3.0.x and user access to home dir denied Replace the parameter "valid users" with "users" under [homes]. The valid users parameter will cause tree connect failed: NT_STATUS_ACCESS_DENIED in versions 3.0.x and above. one approach: Files created will have group assigned to file of group associated with user that created the file from /etc/passwd. Always assign the most permissive group to the user in the passwd file. Disadvantage is that files created in a public share by an administrative user will have the administrative user group assigned, preventing full access from anyone else in the public share, which defeats the point of a public share. another approach: set rwx with file permissions and control user access though Samba with Samba parameters. This works great until you give users shell access. perhaps the best approach: set all users in passwd to 'users' group so created files and directories are always 'users' group. Use a combination of group Linux file permisions set appropriately with Samba read and write lists to lock down your file server security from both aspects. best: use a combination of Linux file permissions and Samba parameters. ---------------------------------- [[[[[ SAMBA SHARE PARAMETERS ]]]]] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List of parameters used in share definitions [sharename] ... parameter1 ... parameter2 ... parameter3 ... .............................................................................. admin users : allow hosts : available : blocking locks : browsable : browseable : (same as browsable) comment : user comment copy : create mask : max allowable permissions for new file create mode : (same as create mask) default case : new filename case UPPER/LOWER delete readonly : delete share command : deny hosts : directory : directory mask : max allowable permissions for new directory directory mode : (same as directory mask) directory security mask: dont descend : dos filemode : dos filetime resolution: dos filetimes : exec : fake directory create t: imes: bug fix for users of Microsoft nmake follow symlinks : force create mode : forces creat mask on files force directory mode : forces directory mask on directories force directory securit: y mode: force group : user 'becomes' member of this group when in share force security mode : force user : user 'becomes' someone else when in share group : guest account : default is 'nobody' guest ok : (same as public YES) guest only : hide dot files : .files on linux appear +h to windows user hide files : list of files in share to appear to have +h set hide unreadable : hosts allow : hosts deny : include : inherit acls : inherit permissions : invalid users : level2 oplocks : locking : machine password timeou: t: magic output : magic script : mangle case : mangles a filename if of mixed case mangled names : abbrev to DOS 8.3 names that are too long/unsupported mangling char : map archive : map hidden : map system : max connections : msdfs root : only guest : only user : users must be in list, default NO path : pid directory : postexec : preexec : preload : preserve case : print ok : public : default NO, if YES no password need for share read list : read only : root postexec : root preexec : root preexec close : security mask : requires ny acl support = YES set directory : share modes : short preserve case : strict allocate : strict locking : strict sync : sync always : use sendfile : user : (same as username) users : username list or %s username : (same as users, for share-level security) valid chars : valid users : volumn string : wide links : writable : writeable : (same as writable) write ok : write cache size : write list : users or groups with write permission for share write raw : .......................:...................................................... Here is a complete list of all Samba parameters (we are aware of): abort shutdown script, add printer command, add machine script, add share command, add user script, admin users, ads server, algorithmic rid base, allow hosts, allow trusted domains, announce as, announce version, auth methods, auto services, available, bind interfaces only, block size, blocking locks, browsable, browse list, browseable, case sensitive, casesignames, change notify timeout, change share command, character set, client code page, code page directory, coding system, comment, config file, copy, create mask, create mode, csc policy, deadtime, debug hires timestamp, debug pid, debug timestamp, debug uid, debuglevel, default, default case, default devmode, default service, delete printer command, delete readonly, delete share command, delete user script, delete veto files, deny hosts, dfree command, directory, directory mask, directory mode, directory security mask, disable spools, dns proxy, domain admin group, domain guest group, domain logons, domain master, dont descend, dos filemode, dos filetime resolution, dos filetimes, encrypt passwords, enhanced browsing, enumports command, exec, fake directory create times, fake oplocks, follow symlinks, force create mode, force directory mode, force directory security mode, force group, force security mode, force unknown acl user, force user, fstype, getwd cache, group, guest account, guest ok, guest only, hide dot files, hide files, hide local users, hide unreadable, homedir map, host msdfs, hosts allow, hosts deny, hosts equiv, include, inherit acls, inherit permissions, interfaces, invalid users, keepalive, kernel oplocks, lanman auth, large readwrite, ldap admin dn, ldap filter, ldap port, ldap server, ldap ssl, ldap suffix, level2 oplocks, lm announce, lm interval, load printers, local master, lock dir, lock directory, lock spin count, lock spin time, locking, log file, log level, logon drive, logon home, logon path, logon script, lppause command, lpq cache time, lpq command, lpresume command, lprm command, machine password timeout, magic output, magic script, mangle case, mangled map, mangled names, mangled stack, mangling char, mangling method, map archive, map hidden, map system, map to guest, max connections, max disk size, max log size, max mux, max open files, max print jobs, max protocol, max smbd processes, max ttl, max wins ttl, max xmit, message command, min passwd length, min password length, min print space, min protocol, min wins ttl, msdfs root, name resolve order, netbios aliases, netbios name, netbios scope, nis homedir, non unix account range, nt acl support, nt pipe support, nt smb support, nt status support, null passwords, obey pam restrictions, only guest, only user, oplock break wait time, oplock contention limit, oplocks, os level, os2 driver map, pam password change, panic action, passdb backend, passwd chat, passwd chat debug, passwd program, password level, password server, path, pid directory, posix locking, postexec, postscript, preexec, preexec close, preferred master, prefered master, preload, preserve case, printable, printcap name, print command, printer, printer admin, printer driver, printer driver file, printer driver location, printer name, printing, print ok, private directory, protocol, public, queuepause command, queueresume command, read bmpx, read list, read only, read raw, read size, realm, remote announce, remote browse sync, restrict anonymous, root, root dir, root directory, root postexec, root preexec, root preexec close, security, security mask, server string, set directory, share modes, short preserve case, show add printer wizard, shutdown script, smb passwd file, socket address, socket options, source environment, ssl, ssl CA certDir, ssl CA certFile, ssl ciphers, ssl client cert, ssl client key, ssl compatibility, ssl hosts, ssl hosts resign, ssl require clientcert, ssl require servercert, ssl server cert, ssl server key, ssl version, stat cache, stat cache size, status, strict allocate, strict locking, strict sync, strip dot, sync always, syslog, syslog only, template homedir, template shell, time offset, time server, timestamp logs, total print jobs, unix extensions, unix password sync, update encrypted, use client driver, use mmap, use rhosts, use sendfile, user, username, username level, username map, users, utmp, utmp directory, valid chars, valid users, veto files, veto oplock files, vfs object, vfs options, volume, wide links, winbind cache time, winbind enum users, winbind enum groups, winbind gid, winbind separator, winbind uid, wins hook, wins proxy, wins server, wins support, workgroup, writable, writeable, write cache size, write list, write ok, write raw --------------------------- [[[[[ SMBCLIENT USAGE ]]]]] ~~~~~~~~~~~~~~~~~~~~~~~~~~~ command: smbclient -L //servername -U username Produces a list of all server shares after prompting user for the password. command: smbclient -L //servername -U username%password Produces a list of all server shares without password prompt. command: smbclient //servername/sharename -U username%password Opens a connection to the share on a server. This is useful for testing samba or accessing a windows share from a linux terminal. note: for 'sharename' when accessing a samba server use the share's name defined in smb.conf such as [sharename] not the actual directory path on the server drive "ie: /home/net.sharename". --------------------------- [[[[[ SAMPLE SMB CONF ]]]]] ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sample for version 3.x.x stand alone server (not PDC) workgroup server. Small office network with 192.168.1.x /24 lan Samba is wins server. [global] workgroup = WORKGROUPNAME server string = File Server interfaces = eth0 pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* unix password sync = Yes log file = /var/log/samba/%m.log max log size = 100 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd -g 100 -d /dev/null -s /bin/False %u logon script = %U.bat logon path = \\%L\Profiles\%U os level = 64 preferred master = Yes domain master = No dns proxy = No wins support = Yes admin users = administrator hosts allow = 192.168.1., 127. printing = cups [homes] comment = Home Directories users = %S read only = No create mask = 0620 directory mask = 0710 browseable = No [Profiles] path = /home/profiles read only = No browseable = No [printers] comment = All Printers path = /home/smbprint guest ok = Yes printable = Yes browseable = No [tmp] comment = Temporary file space path = /tmp read only = No guest ok = Yes create mask = 0664 force create mode = 0664 directory mask = 0774 [share] comment = Public Share path = /home/share read only = No guest ok = Yes write list = @users create mask = 0664 force create mode = 0664 directory mask = 0775 [secret] comment = Hidden Restricted path = /usr/local/share browsable = NO only user = YES public = NO read list = @secret write list = @secret users = @secret valid users = @secret force group = secret create mask = 0660 force create mode = 0060 directory mask = 0770