SAMBA Documentation

Table of Contents

1. Introduction
1.1. Disclaimer
2. SAMBA Documentation
2.1. Current documentation
2.1.1.man pages
2.2. Other documentation
2.3. SAMBA Web site mirrors
2.4. Getting Help (Newsgroups)
2.5. Samba Levels
2.5.1. Installing a new level
3. Configuration Issues
3.1. SWAT - a configuration tool
3.2. Samba Settings
3.2.1. A Sample Config
3.2.2. Comments on Sample Config
3.2.3. Multiple Configurations
3.3. Client Settings
3.3.1. smbmount
3.3.1.1. smbmount 2.0.6 and above
3.3.1.2. Older versions
3.3.1.2.1. Linux 2.0 Kernels
3.3.1.2.2. Linux 2.2 Kernels
3.3.1.2.3. smbmount 2.0.5
3.3.1.3. Recompiling smbmount
3.3.2. smbsh
3.3.3. Win clients
3.3.3.1. Win2K, XP
3.3.3.2. Win NT
3.3.3.3. Win9x
3.3.3.4. Win 3.11
3.3.4. MSCLIENT - Smb client for DOS
3.3.5. Other Clients
4. Simple Solutions
4.1. Correct passwords being rejected
4.1.1. Username in error
4.1.2. Password in error
4.1.2.1. Password case-error
4.1.2.2. Encryption
4.1.2.2.1. Some background info
4.1.2.2.2. encrypt passwords = no
4.1.2.2.3. turn encryption on
4.1.3. IPC$
4.2. OPLOCKS
4.3. Samba is slow?
4.4. Time-outs, Network Busy
4.5. Browsing
4.5.1. Within a Subnet
4.5.2. Across Subnets
4.6. Printing
4.7. CR + LF
4.8. Filenames with International chars
4.9. Setting UNIX Permissions under Samba
4.9.1. Updating non-native-Linux partitions
4.10. GUEST Accounts
4.11. unfriendly server software
4.12. other problems
4.13. HELP - It still does not work
4.14. Samba and NT Domains
4.14.1. Samba as a Domain Member
4.14.2. Samba as Primary Domain Controller
5. Simple Scripts
5.1. Terminating and restarting Samba
5.2. Postinstall (man)
6. Security aspects

ignore these links

1. Introduction

This is a Samba web site.  It is not 'official' but contains pointers and answers to most of the problems I feel qualified to talk about. Although I hope that the answers I give are correct, there have been errors in the past. I can be reached under andrewDOTwilliamsATgmxDOTnet .  Whilst the beast is fairly up to date (May 2003 and version 2.2.8a), my current job means that I have neither time nor the inclination to follow all new developments.  Most of the recent developments have been in supporting the NT/W2K/XP RPCs, I have nothing to do with such an environment.
Minor editing in September 2007 to change obviously outdated stuff.

Ever since Samba 2.0.7, the O'Reilly book Using Samba has been distributed with the Samba sources and accessible via SWAT.  I will be referring to it a lot in this document. There are still references to levels older than 2.0.7 in this document, but I they will be minimised if I ever find the time.

One thing you will not find here is an exact description of how Samba should be started after a boot. There are two different ways: via inetd/xinetd and as a daemon and both the document UNIX_INSTALL.txt and Section 2.5 of Using Samba describe both in some detail.  SuSE Linux starts it as daemons (the preferred method) via a script and I do not feel able to comment on problems you may have starting by hand on other systems.
Even so, my script shown below shows what must be done.  Depending on your configuration there may be more daemons than just nmbd and smbd.  The only one I know about is winbindd - password control for large installations.

1.1. Disclaimer

This document and all associated documents are provided on an 'as is' basis, the author assumes no liability for damage directly or indirectly caused by following this advice.
This warning is here as a precaution, I have no reason to believe that there is anything wrong with the advice here, but you never know . . .

2. SAMBA Documentation

Documentation comes with Samba, on the website (mirrors), in various books and in sites such as this.

2.1. Current documentation

The list of the Samba documentation files for the current level is now another document.

2.1.1. man pages

This list is for version 2.2.6., the ones in italics are new for 2.2.x levels.  The ones marked in bold are especially important (smb.conf is the Samba bible).

findsmb.1  make_smbcodepage.1  make_unicodemap.1  nmblookup.1  rpcclient.1  smbcacls.1  smbclient.1 smbcontrol.1  smbrun.1  smbsh.1  smbstatus.1  smbtar.1  testparm.1  testprns.1  wbinfo.1
lmhosts.5  smb.conf.5  smbpasswd.5
samba.7
nmbd.8  pdbedit.8  smbd.8  smbmnt.8  smbmount.8  smbpasswd.8  smbspool.8  smbumount.8  swat.8  winbindd.8.
Nowadays the man-pages are also released as html documents in samba/docs/html. RTFM, you have no excuse :-)

2.2. Other documentation

Books on Samba used to be rare, not any more - my local technical bookshop stocks about 10 different ones. Here are the ones that I have personal experience of. The normal documentation is (of course) in your Samba  $(BASEDIR)/docs  (/usr/local/samba/docs  in my case) or its subdirectories if you downloaded Samba, or in something like  /usr/doc/packages/Samba if you did not.

Websites you could look at are:

2.3. SAMBA Web site mirrors

This list was hijacked from the servers listed here in May 2002 and will be out of date (new mirrors are coming and going all the time):

Web Sites

Please choose your closest web mirror site:

Download sites

These contain the source and binary distributions but not the web pages.

Please refer to these mirroring instructions for information on mirroring the Samba web pages.

Non-English

Here you will find non-English starting points for Samba information.

Other sites in samba.org


You will find the following information there:

2.4. Getting Help (Newsgroups)

I have seen 2 newsgroups that concern themselves with Samba:
comp.protocols.smb Is pretty dormant nowadays (2007)
linux.samba hyperactive and frequented by the Samba developers (2007).
While I am not sure what the original reason for the existence of the second one was (other than the people who frequent it not knowing about the first one), it has also developed into a useful forum.  If you have problems with passwords being rejected or 'station not authorised', do not bother the groups anyway - look at the 'encryption' pages here.

2.5. Samba Levels

The document WHATSNEW.txt - which comes with the sources - lists all new features and fixed bugs for a new level.
If you are migrating from a pre-2.0.0 level, read the last part of the 2.0.x version it before doing anything else.  The two main problems in migrating are that the default for 'security' changed from 'share' to 'user', and that the smbpasswd format changed - see below for more on this. Here is the WHATSNEW.txt for 1.9.18p10 - it lists the bugs and security holes that were fixed up to that level. I know of no reason why anyone would want to install or even know about the features of a version other than a current one, 2.0.10, or maybe 1.9.18p10. Levels older than 1.9.18 needed special libraries (libdes) to be compiled in in order to support encryption.

2.5.1. Installing a new level

This description is written for Linux and the Bash shell. There is a fundamental difference between normal 'installed' versions of Samba and those that are downloaded - the original ones are integrated into the standard files and downloaded ones have been prepared to land in the /usr/local/samba tree. Since the /usr tree should ideally be read-only, my options modify this behaviour.  This version is for Samba 2.x levels, the older version of this section is still available, you might want to look there if you are installing Samba 1.9.18.

Sections 2.2 and 2.3 of Using Samba cover this area in more detail.

Under SuSE for example, the version as originally installed has:

Since './configure' offers the ability to change most of these default placements, I now have a mini-script to carry this out. This version is for 2.2.x levels only, replace --exec-prefix=/usr with --bindir=/usr/bin for 2.0.x levels and then set up links between /usr/sbin and /usr/bin for the smbd, nmbd and swat executables.  (no idea if this still works with 3.0 levels!!)

#! /bin/sh
#
# Set my Samba default stuff
# --sbindir is necessary because ./configure has a bug
./configure --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --with-smbmount --with-privatedir=/etc/samba/private --libdir=/etc/samba --localstatedir=/var/log/samba --with-lockdir=/var/lock/samba

(Careful with line-wrap, that last line is very long). Going through these './configure' options:

The two issues that this does not resolve are that 'nmbd', 'smbd' and 'swat' go to the '--bindir' directory under some levels, and (SuSE only) the man-pages.

These are the '/configure' options I use.  Try './configure --help | more' to see if any other options could apply to your system.  If you identify an option that looks good, check its usage in the generated 'Makefile'.

If you get 'fatal signal 11' under Linux, suspect the hardware and look here.

While I have scripts for some of this, they are pretty primitive and do not do all the work.
The 10 (or so) steps to heaven are:

Hopefully this will work for you. It has worked for me over several levels on several machines.

3. Configuration Issues

3.1. SWAT - a configuration tool

The 'man swat' documentation is a very good place to start, although I am paranoid enough to use TCP-Wrappers.  To use swat with TCP-Wrappers, in /etc/inetd.conf, take the line
swat stream tcp nowait.400 root /usr/sbin/swat swat
and change it to
swat stream tcp nowait.400 root /usr/sbin/tcpd /usr/sbin/swat

/etc/services needs a line
swat 901/tcp

hosts.deny needs the line
swat: ALL

In /etc/hosts.allow you need
swat: 127.0.0.1
and maybe a second IP address or range as well on that line if you are feeling adventurous.
Since version 2.0.7, Using Samba can also be accessed via SWAT.

3.2. Samba Settings

3.2.1. A Sample Config

There are also a number of examples in the Samba documentation, look for a subdirectory called 'examples'.  Another possibility is the use of 'swat';  I followed the 'man swat' documentation, went into 'localhost' as root and all was fine.  Swat cannot handle 'include' or 'copy' statements.
; Configuration file for smbd.

; For the format of this file and comprehensive descriptions of all the
; configuration option, please refer to the man page for smb.conf(5).
;

[global]
; workgroup = WORKGROUP
null passwords = yes
guest account = ftp
netbios name = mightyserv
; netbios aliases = redeyes
lock directory = /var/lock/samba
security = user
debug level = 2
log file = /var/log/samba/log.%m
max log size = 50
; I want to lose elections, the next 4 lines ensure that I do
local master = no
; domain master = no
; preferred master = no
; os level = 0
wins server = 194.10.20.55
; interfaces = 10.20.30.40/24 194.10.20.30/24 127.0.0.1/8
; name resolve order = lmhosts host wins bcast
; time server = yes
load printers = yes
; client code page = 850
character set = ISO8859-1
server string = host %h Version %v for %I
; update encrypted = yes
encrypt passwords = yes
smb passwd file = /etc/private/smbpasswd
username map = /etc/samba/username.map
veto files = /*.eml/*.nws/riched20.dll/
; socket options = TCP_NODELAY  IPTOS_THROUGHPUT  SO_RCVBUF=4096  SO_SNDBUF=4096

[tmp]
comment = Temporary file space
path = /tmp
writeable = yes
public = yes
create mask = 0777
dos filetimes = true

[homes]
comment = Home Directories
writeable = yes
browseable = no
dos filetimes = true
; veto files = /.*/
valid users = %S

[printers]
comment = All Printers
printable = yes
browseable = no
path = /var/spool/lpd
writeable = no
guest ok = yes
print command = /usr/bin/lpr -r -P%p %s
; print command = cp %s /var/spool/lpd/print_%p
; printing = bsd

[redcd]
comment = %h CD-Rom
path = /cdrom
preexec = /bin/mount /media/cdrom
postexec = /bin/umount /media/cdrom
writeable = no

3.2.2. Comments on Sample Config

Look at the 'man' pages for 'smb.conf' for better explanations - this document is kept current and is the reference document for config issues.

3.2.3. Multiple Configurations

There are sometimes cases where you will wish to have multiple configurations, these fall broadly into two categories: John Blair's Samba book  has an elegant solution in Chapter 10 (Other Tricks and Techniques) under 'Using Share Level and User Level Security at the Same Time' - Page 257 in my (first) edition, sections 4.3 and 4.7 of Using Samba cover the same ground.

/path/smb.conf contains the header [global] and the statements in this section common to both (all) configurations, and then:

/path/smb.conf.sambadirs  contains 'security = user' (no [global] section header) and all of the services that want 'user' security

/path/smb.conf.sambaprs contains 'security = share', 'load printers = yes', the guest stuff and the services that want 'share' security.

Clients latch on to either 'sambadirs' or 'sambaprs' (or both) in their 'Network Neighbourhood'.
Be warned that %L is case-sensitive.

The only problems I have encountered with this technique is that 'testparm' no longer works and swat cannot be used.

There is an example of this in subdirectory examples/tridge.  I find it rather messy but it demonstrates a lot of principles ;-)

3.3. Client Settings

3.3.1. smbmount

The smbmount and smbumount programs were originally not part of the Samba suite (and were not maintained by the Samba team) although they were distributed with it.  Starting with Samba 2.0.5, they are.  Smbmount was rewritten for Samba 2.0.5 and again for 2.0.6.  The syntax changed (again) each time.  With 2.0.7, a document called smbmount.txt was added to the Samba Docs, it is identical to the man-page since level 2.2.0.
Urban Widmark is now the maintainer for smbmount/smbfs.  (smbmount is outdated, try man mount.cifs which is fairly similar)

A tool called smbsh has been introduced in Samba 2.0.x. It is part of the Samba-suite and runs on most Unixes, but not Linux.
The package RUMBA is the other equivalent of SMBFS for non-Linux systems.

Smbmount/smbumount are not normally compiled by default when you load a new level, even under Linux. Look at the relevant subsection for more on this. The commands in this section have been tested under all recent SuSE Linux levels and other Linux distributions will work the same way

Be warned that smbmount for a Linux 2.0 kernel would not work under a 2.2 kernel, even the syntax was totally different.

So, to summarise the version information:

  1. if your kernel level is 2.0.xx look here.
  2. For 2.2.xx kernels (and above), your Samba level becomes important
    1. for Samba 2.0.6 and above look here
    2. for 2.0.5a here
    3. for lower levels here.
The Kernel needs the 'SMB Filesystems' option set - something that is not otherwise necessary for Samba.

smbmount (all levels, as far as I know) has one significant problem - directory entries are not automatically refreshed.
To illustrate this, Machine A is running some version of Windoze.  Directory temp is exported (update access).  Someone working on machine A creates and deletes subdirectories and files.

Machine B is accessing A's exported temp.

3.3.1.1 Smbmount 2.0.6 and above

This version completes the Samba 2.0.5a rewrite. The man smbmount documentation is now current again. This time, the syntax is that of the 'mount' syntax - an indication that it will not change again. smbmount -h also tells you how to use it.
Imho, some of the previous versions of smbmount were a mess.  This version is excellent and should be around for a long time. it now has been! :-)

The actual command is:

smbmount //machine/service  /MountPoint -o option,option
or
mount -t smbfs //machine/service  /MountPoint -o option,option
The options that I consider most useful are: The other options are: netbiosname, port, debug, workgroup, sockopt and scope (of NetBIOS). Just look at the very concise man-page.  To quote the man page: 'smbmount calls smbmnt to do the actual mount, You must make sure that smbmnt is in the path so that it can be found'.

You want an example?

smbmount //machine/service /mountpoint -o username=user%pass,uid=dustpuppy

or
mount -t smbfs //machine/service /mountpoint -o username=user%pass,uid=dustpuppy

The two commands are functionally identical.  When I tried adding the second version to /etc/fstab, it failed because the mount was attempted before networking had started. At least 'mount -a' then works.

For some arcane reason, SuSE 6.4 claimed that only the second version of the syntax above works. This is simply wrong.

First tests of the 2.0.7 version seemed to indicate that Linux hung on a reboot if any smb-mounted drives have not been previously unmounted.  This bug was also present in the 2.0.5 version, but not 2.0.6.  I think this is fine nowadays (2.2.x).

3.3.1.2. Older versions

The only reason I can think of for using an older version of smbmount would be a 2.0 Kernel. Here is how to use older versions, together with which documentation can be trusted (often only smbmount -h).
3.3.1.2.1. Linux 2.0 Kernels
Be prepared to ignore the 'man smbmount' documentation, it may well be for Linux 2.2 and inappropriate;  smbmount -h tells you what you need to know.

The actual command is:

smbmount //machine/service /MountPoint -U userid -P password
If you leave the '-P password' and '-n' out, you will be queried for a password.

Other useful options in my version are:

Once you have finished, there is also the
smbumount  /MountPoint
command.
3.3.1.2.2. Linux 2.x Kernels
This does not apply to the smbmount versions released with Samba 2.0.5 and above.

The man smbmount documentation, is more helpful here, but still partially incorrect;  man smbmnt gives more clues and smbmount -h will tell you some the rest.  Experiment!

The actual command is:

smbmount "//machine/service" password -c  "mount /MountPoint" -U userid
The -N option (no password) can be used instead of a password, the password can also be supplied as -U userid%password

Other useful options that can be passed with the "mount" command are:

And the '-d debuglevel' option (outside the mount sub-command) to turn debugging on.  This is overridden by the smb.conf setting anyway.

Once you have finished, there is also the

smbumount  /MountPoint
command  Having said this; if you (as I did once) have SuSE Linux 6.1, you have a problem.  Either download their kernel-module fix from their web-site to fix it, or upgrade your kernel.

If you get 'too many files open in system' and have the 2.2.9 kernel, upgrade to another level.

3.3.1.2.3. Smbmount 2.0.5
In this version, the man smbmount documentation is simply wrong.  The previous version of smbmount was a 'hacked up version of the old smbclient code' and contained a major and critical security hole.  The version here was cleaner, was rushed out, was missing some functions and was ahead of the documentation.  This changed with 2.0.6 but that is another section. smbmount -h tells you how to use this version.

The actual command is:

smbmount //machine/service  /MountPoint -U userid
Which is a lot like the original smbmount documented above.  The -N option (no password) can be used instead of a password, the password can also be supplied as -U userid%password
I am told that the -W (workgroup) option actually passes the domain .  This version really was a 'rush job'.

Once you have finished, there is also the

smbumount  /MountPoint
command.  I strongly recommend this because if I forget this step, my Linux hangs up while unmounting filesystems when I next try and boot. Your mileage may vary on this point, some versions hang and some work.

3.3.1.3. Recompiling smbmount

The version of smbmount released with Linux 2.0 distributions was only suitable for Linux 2.0 kernels, the recent downloaded Samba sources supply a newer version which will work under levels > 2.1.70, 2.2.anything or 2.4.anything but not under older levels such as 2.0.anything .  If you have a newer version of Linux, then issue the './configure --with-smbmount' at the appropriate time.
When you re-compile Samba, the default directory for smb.conf is /usr/local/samba/lib.  Since I keep my config in /etc/samba, this necessitates a symbolic link between the two.

3.3.2. smbsh

All I know about smbsh is that it allows access to NT filesystems using Unix commands.  The commands have to be dynamically linked for it to work properly.  smbspool (look at the man-page, newer levels only) is the equivalent if you want to access a SMB printer.
The 'smbsh' man-page (2.0.3 and above) and file README in samba/source/smbwrapper give some clues as to what smbsh should do.

You can compile it on supported systems (see that README file) with 'make smbwrapper' or by adding the '--with-smbwrapper' option to the ./configure.

Linux systems with glibc-2.1 and above (and guess what I have . . .) are not supported - the glibc maintainers deliberately removed the necessary hooks; apparently they do not like user-space filesystems.

3.3.3. Win Clients

This part is very general, look immediately below for settings specific to certain platforms. Those are the minimum requirements.  If you are capable of setting up TCP/IP Networking under Linux, I assume you can do the same under various flavours of Windoze.  WINS support is discussed in the section dealing with Browsing .

NT Versions starting with NT4 SP3, Win95B and above, all Win98/ME, Win2K and XP versions need encryption turned on under Samba, or the appropriate registry hack to be applied. My personal preference is for the first option - it makes things easier in the long run.

3.3.3.1. Win2K, XP

Samba can act as a Domain Controller.  This functionality is improving all the time.

You may have read that Win2K / XP no longer support WINS.  This is apparently an option that can be set in networks where only Win2K / XP is running.  Apart from this, I believe these levels can be treated substantially as NT4.

Win2K ACL support has been turned on since around 2.2.2.

3.3.3.2. NT Considerations

Section 3.2 of Using Samba covers Win NT clients.

Warning: The rest of this section comes from various pieces of documentation.  I have included it here because the questions are asked so frequently, not because I have experience in this area.
Apart from the WinNT.txt and DOMAIN_CONTROL.txt docs mentioned above, there is a 'FAQ for Samba NTDOM PDC support' on the Samba Sites.

If NT is used for user-validation, Samba always tries to logon twice - the first time with an invalid password (1F1F1F . . ).  If this first attempt succeeds, Samba treats the NT machine as a security risk and refuses to use it.
This is necessary because Samba does not know if the first attempt succeeded because the user/passwd were correct or because guest-access was configured on the NT machine. Since the user may have been 'root', this difference is important.  As of level 2.0.4, this behaviour is documented.

NT ACL support was activated with Samba 2.0.4.

3.3.3.3. Win9x

Section 3.1 of Using Samba covers Win9x clients, it comes with lots of pretty pictures. :-)

3.3.3.4. WfWg 3.11

Level 1.9.18p10 had problems with this client, you will also run into problems with all levels if directory / filenames / share-names (printers!) do not comply with the 8.3 naming restrictions.

3.3.4. MSCLIENT - Smb client for DOS

Much to my surprise, I once needed to hook a DOS 6.2 client up to a network. MS offer a client which can be downloaded and installed under DOS. It helps if the network-card you use is of an older type.
The software can be downloaded from Microsoft ® and consists of two self-extracting .EXE files which fit onto one floppy.

Follow the usual procedures with such files. When you get to the proper setup-screen, you will see that this client expects a network with ipx/spx networking, and DHCP. You will need to add (and configure) TCP/IP, remove ipx/spx and (presumably) give yourself a static IP-Address by turning auto-configuration off.
To remove ipx/spx, move the cursor to it, tab to the other box and go to 'remove'.
To configure TCP/IP, follow the same procedure - position the cursor over it (upper box) and then tab to the lower box and the 'Change Settings' line. The rest seemed pretty obvious.
Once it has been installed, the NET USE X: \\server\sharecommand gives you access to the outside world. I did not see any evidence that shares could be exported from Dos, but apparently this is also possible with extra software.
There seems to be no way of accessing DNS or WINS services from this client, it is back to good old \net\hosts

3.3.5. Other clients

There is a client for the Mac which is called DAVE. That is all I know about it.  Look at Macintosh_Clients.txt for more.

OS/2 apparently can also act as a client or server for SMB services.  The 'lm announce' and 'lm interval' parameters are set up for this OS.  Again, look at OS2-Client-HOWTO.txt for more.

4. Simple Solutions

4.1. Correct passwords being rejected.

There are several different possibilities here. If it is not already obvious which one applies to you, set 'debug level = 3' and look at your logfiles. Remember to set it back down again afterwards.

4.1.1. Username in error

Samba's default behaviour is to try converting the incoming Username to lowercase. If that works then fine, otherwise the first char is converted to Uppercase and it tries again.
If this is not enough for you, there are 3 ways of handling this problem. I have seen it claimed that Samba 2.0.0 truncated names on 7 characters - a bug.

4.1.2. Password in error

Assuming you have not got a real password-error, or that you have accidentally come in as your 'guest account', the problem is almost certainly encryption.

4.1.2.1. Password case-error

WfWG 3.11 also converts passwords to uppercase under certain circumstances. The 'password level' parameter exists to force varying combinations of upper and lower case.

4.1.2.2. Encryption

Newer versions of WinNT (with SP3) and Win95 (Win95b and Win95c), along with all versions of Win98, WinME, Win2k and XP only send encrypted passwords down the line. This is a security feature and one that makes sense. There are two ways to go about accommodating such clients - one is to turn encryption off for them, the other one is to turn it on on the Samba server.
I personally consider encryption to be a 'good thing' (the alternative being to 'hack' all new clients) and recommend introducing it before you actually need it.

Encryption is compulsory if 'security = server', it is permitted for 'security = share/user' and rather irrelevant for 'security = domain'.

If you migrate from a 1.9.xxPyy level to a 2.0.x level, you will run into the problem that the smbpasswd file format changed.  The symptoms are that the entries pick up a large unfriendly D (for Disabled) at the end of each line.  Run convert_smbpasswd to fix it.  The smbpasswd processor also has an option to enable disabled passwords, 'man smbpasswd'.

The whole smbpasswd discussion in the remainder of this section appears to be unnecessary for 'security = server' and 'security = domain' because authentication is handled on another machine - only the userids are used.

4.1.2.2.1. Some background info
A Samba Server with encryption turned on can also handle unencrypted clients (although they have to be in 'smbpasswd') at least for 1.9.18 and 2.0 levels.  Although some people have reported problems here, they turned out to be configuration errors.

If you have an older level (below 1.9.18p1) then consider upgrading if you need encryption.  It is still possible with some of these levels but it needs the DES libraries and they were sometimes difficult to obtain (US export restrictions).

There are two different encryption schemes - 'LanManager' (win9x / winME) and WinNT / W2000 / XP.  Samba can handle both and stores both in 'smbpasswd', this is the reason for the curious structure of the smbpasswd file.  The LanManager scheme is also relatively weak and it is quite easy to reconstruct a password from it's encrypted value, this is the reason why the 'smbpasswd' file has to be kept very secure.

The smbpasswd command (man smbpasswd) is used to maintain the file once it has been created.  Root can use it on all userids, other users on themselves.

If you want to change a password from a Win client, you can change either the /etc/passwd or /etc/shadow password (plaintext passwords only) or the smbpasswd password (encrypted passwords only).  Not both, unless you count the 'update encrypted = yes' option which is used to populate the smbpasswd file before encryption is turned on.
Here are some Password-Sync lines contributed by Benoit Gerrienne in Belgium - he tested them with Samba 2.0 under RedHat 5.1, presumably with plaintext passwords:

unix passwd program = /usr/bin/passwd %u
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
password sync = yes
He also says that 'debug level' should be at least 100 to get the debug of the password chat, and that %u means %u and not %U

 To change an encrypted password, use Neil Hoggarth's suggestion as a starting point:
(echo "oldpasswd"; echo "newpasswd"; echo "newpasswd") | smbpasswd -s

4.1.2.2.2. encrypt passwords = no
This can be a temporary measure (see 'migration path') or a permanent one. See the 'Win95', 'WinNT' and (for a general discussion) the 'ENCRYPTION' docs.
4.1.2.2.3. turn encryption on
These instructions have their own web-page.

4.1.3. IPC$

The share IPC$ is implicitly defined under the SMB protocol - it contains the names and descriptions of all exported Directories and Printers on a server. This share obeys the standard rules imposed by the 'security = ' line in [global], using the user-account needed by the other shares. This is necessary because IPC$ has to come up with (for example) the correct [home] directory for someone who says 'valid users = %S'.
I once tried defining [IPC$] explicitly in order to make it more 'guest friendly'. This was not a success - nothing worked.
If your IPC$ passwords are being rejected by the client, even though they are nominally correct, take a look at my Encryption stuff

4.2. OPLOCKS

Samba 2.0.x levels starting 2.0.4 had a document saying the same as this section; File-Cacheing.txt. 2.2.x levels dropped it again. Maybe this is partially outdated :-)

OPLOCKS are Opportunistic Locks and are turned on by default in levels 1.9.18 and above.  They allow clients to obtain exclusive use of a file and cache any changes made locally.  This is a speed feature that NT implements and is the main reason why NT had outperformed Samba under previous levels.

They can be turned on or off (or even faked - I used this feature for read-only shares under 1.9.18) at the share level.  Samba 2.0.5 introduced 'level2 oplocks' which can be set for shares that are normally read-only and speed things up a lot.

Oplocks do have two drawbacks - One is that the 'client caching' only applies within Samba, if you need to access files concurrently via Samba and any other mechanism, turn them off for this share unless kernel oplocks are available.
'Any other mechanism' means any non-Samba access at all on the Samba server, directly or via NFS.
In practice, if you save a file on a Samba server and then pick it up directly, it will probably work.  At the worst, you will see the previous version.

Databases are a lot less fun and are the second drawback - client-side caching is something-you-do-not-want? on a multi-user database or any other file with a number of concurrent users.  You could also try 'veto oplock files = /*.xxx/*.yyy/' to prevent oplocks for certain extensions on a share.

The oplock coding was rewritten for Samba 2.0.0 - the new kernel oplock interface implementation is now compatible with other processes, as long as these are supported by the operating system.
Operating systems that currently support the new implementation are:

End of list.
FreeBSD will incorporate such coding once it has been written, other platforms may need a bit more prodding from their user base before going the same way.  Jeremy Allison worked for SGI then, which is one reason why their IRIX is so Samba-friendly.  Apparently it took a kernel engineer there around two weeks to implement this support in IRIX.  Do not bother disabling Kernel Oplocks in your config - if they do not work on your platform then './configure' will turn them off at compile time.

The message oplock_break: no break received from client within 30 seconds. can apparently have two possible causes:

Using Samba , section 5.5 covers this whole area in more detail.
This area of Samba (oplocks) only really stabilised at around level 2.0.5 (and again at 2.2.2!), if something does not work and you have an older version, consider upgrading.

4.3. Samba is slow?

Samba "as is" is sometimes too slow. This can be caused by its own configuration being less than optimal, or it can be caused by its partner's configuration. According to the document 'Speed.txt' (updated for 2.2.0), Samba should operate at around the same speed as ftp and should be faster than NFS.
Some of the following discussion applies only to 1.9.18 levels, a lot of effort went into speeding 2.x.x levels up.

Ways of speeding the partner up

Ways of speeding Samba up Full/Half Duplex

Ethernet Switches can handle Full-Duplex mode, Hubs can not.  Bearing that in mind, I came across a wonderful article in a Newsgroup a couple of years ago which looks very convincing and is reproduced verbatim.  It is now out of date with respect to Ethernet Switches (as opposed to Hubs).

If you feel that Samba is disastrously slow and none of the above helps, you will have to do some experimenting. Try uploading and downloading a large file between the Samba server and the client using Samba and ftp.
The possibilities are:

Large Directories

There is another problem with all levels of Samba when it comes to accessing large (several thousand files) directories on a client.  Under all Windoze versions, file 'Funnyname.txt' is the same as 'FUNNYNAME.TXT'; Under Unix they are not.  This means that Samba has to 'mangle' filenames internally in order to create the illusion of compatibility.  There are two problems with this:

There are two possible workarounds here: Most of this came from 'Speed.txt' and 'Speed2.txt' , they have more. Other stuff in this section has been culled from the Newsgroups .
The section in Using Samba that covers this is B.2.
A web-site has been created to hold Linux optimisation tips, Samba is also handled.

4.4. Time-outs, Network Busy

These problems are normally outside Samba altogether, the usual candidates are the general TCP/IP setup and (less often) Windoze.
The default name-resolution order ('name resolve order =' in [global]) is: lmhosts host wins bcast, this is documented in the sample config . If these steps are badly configured, the daemon is liable to hang up until something times out.
Taking 'hosts', the first line in hosts should be:
127.0.0.1  localhost  localhost.localdomain

It is also vitally important to have your own host-name and IP-address in this file. When I was using the then newest version of RedHat (5.0 ?) in early spring 1998, it would actually hang for 60 seconds while booting if the own-host line was not the second host in /etc/hosts but that level was the reason I originally switched to SuSE.

Test this with 'ping localhost' and a ping of your own Samba server's name.

External DNS / WINS servers reportedly also seem to need the localhost line at the front.

4.5. Browsing

If you are lucky, the Samba Server will simply appear in your 'Network Neighborhood' and you can (passwords / encryption permitting) simply browse it. If you are asked for IPC$'s password see above then your problem is probably encryption. This section deals with the case where a Samba server does not appear at all, 'Map Network Drive' will probably not work either. This is a large area so I am only describing my own experiences here.
Using Samba, section 5.1 covers this whole area in more detail.

4.5.1. Within a Subnet

Each subnet needs a local master browser and elections are held within the subnet to determine which machine should fulfil this function.  Primary or Backup Domain Controllers (PDCs or BDCs) expect to win such elections which are held via Broadcasts.
Three parameters influence this behaviour under Samba.

4.5.2. Across Subnets

Continuing from the previous section, the SMB protocol wants to see a BDC - at least - on every subnet.   Setting 'domain master = yes' means that the machine will attempt to be the domain master browser for the subnet. The 'os level' and 'preferred master' parameters will also influence this behaviour.

The recommended method uses WINS, this needs a 'wins server' (surprise), which can (and probably should) also be the 'domain master browser' for the whole workgroup.  This is not an office you can be elected to, you have to be appointed.  The local master browsers have to know where the domain master browser is.  If there is a PDC in the network, this must be the domain master browser.

If this parameter is set, a WINS server has to be around somewhere. Set 'wins support = yes' on the WINS server and 'wins server = name-or-address' on the other machines. Do not set both on one machine.

The 'remote browse sync = name-or-address name-or-addr . . .' statement can also be used. This allows you to announce yourself to browse masters on other subnets, those browse masters must be running Samba.

You may well have read that Win2K will no longer support WINS.  This is apparently an option that can be set in networks where only Win2K is running.

4.6. Printing

This area was updated for 2.2.0 with new functionality. Look at the Samba-HOWTO-Collection.html doc for more on this.

If you get strange errors ('unknown error' is a give-away) while printing, or it simply does not work and everything else is ok, check the permissions on the directory pointed to by 'path = ' in [printers]. I set them to 1777 which is may be overdoing things but does at least work.  I have suggested this to a number of people with printing difficulties and it was once a very common problem, judging from the feedback.
The 1777 bit on the left is the 'sticky bit', it means that users can only delete files belonging to themselves.

The user-account 'nobody' (the default guest-id) is not capable of printing on a lot of systems.  If nobody's uid or gid are negative (or > 32767) on your system, you need another guest account.

I used to have a problem with a blank page being printed after every print job, various fixes did not seem to work for me. Now I use CUPS, this particular problem is dead.

The 'no resources' message that sometimes comes can be a timing problem with NT - the WfWg client does not wait long enough (or NT takes too long). Check the 'WinNT' doc on the Samba server for this one.

Printing appears to have been broken for 1.9.18p10 for pre-Win95 clients - specifically WfW 3.11.

If you want to print to a SMB printer, try 'man smbspool'.  This document came with 2.0.6 (I think).

There are two different problems affecting some Samba 2.0.x levels below 2.0.5 under Linux:

There is also a 'Printing' doc with several other tips.

The setup I use is one where the Windoze clients print via Samba to printers attached to the Samba server (physically or via TCP/IP).  If you want to go the other way and print to printers attached to your Windoze clients, Section 7.2 in Using Samba is your friend.

4.7. CR + LF

Unix text-file lines are terminated by 0A (LF)
MS text-file lines are terminated by 0D 0A (CR LF)

Samba does not do and will not do any conversion of these files at all. There are a number of conversion utilities on both platforms, these will have to be used.  Samba 2.0.4 introduced a new document saying this, it vanished again in version 2.2.0.
I saw a Perl-script recently that purported to do the conversion, so if you have access to Perl try:

# cat file.unix | perl -e 'while (<>) {$_ =~s/$/\015/; print$_}' > file.dos
.

4.8. Filenames with International chars

This discussion applies to Linux and does not really have a lot do with Samba.

In 2.0.33 or so, the kernel added international support for filenames - a file can now be called /home/user_dir/Ätherische-Öle.wpd(be warned - that name may look different for you) without upsetting anyone unduly.  This was apparently written for FAT/VFAT structures on Diskettes and Dual-Boot machines, and for Joliet (CD-Rom) filesystems.  Samba also benefited from this feature.

Using 'make menuconfig', go into 'Filesystems' and set 'Native Language Support' along with the necessary Codepages and NLS entries.
I am in Germany and have added the Codepages 437 (US) and 850 as modules, along with NLS ISO 8859-1.  If you want to know what each option means, you have to enter a '?' against it - this is extremely boring when there are around 20 entries.
With the 2.2 and 2.4 kernels, 'Native Language Support' is now an extra section.  NLS ISO 8859-15 has been introduced in these versions - it supports the Euro.

The default for the Samba global option 'client code page' is 850, the appropriate 'character set' for this is ISO8859-1 which is not the default.  Experimenting with 'character set' can result in duplicate filenames - the sacrifices we make for science . . .

Recent Samba and Linux versions should work fine here, Urban Widmark has taken over development of smbmount/smbfs in the Linux Kernel.

4.9. Setting UNIX Permissions under Samba

SAMBA normally creates files and directories with the 0744 permission-bits set, unless the DOS Read-Only attribute is set.  This behaviour can be overwritten in the respective [service] sections with the following parameters:
 
Parameter Synonym Effect Default
create mask = nnnn create mode is ANDed with the permission bits 0744
force create mode = nnnn
-
is ORred with the permission bits 0000
directory mask = nnnn directory mode is ANDed with the permission bits 0744
force directory mode = nnnn
-
is ORred with the permission bits 0000

The following 4 parameters came with 2.0.5 and are for NT ACL support, they default to their colleagues in the table above:

Samba 2.0.7 added 'inherit permissions', if this is set then new files/directories inherit the permissions of their parent directory.

The 'delete readonly', 'alternate permissions', 'map archive', 'map hidden' and 'map system' are related commands.  If you really feel the need (I don't), look them up.
Using Samba, section 5.3 covers this whole area in more detail.

4.9.1. Updating non-native-Linux partitions

Not all filesystems could safely be updated under Linux. In particular, updating NTFS was long consided extremely dangerous until (I believe) the ntfs-3g stuff came out in early 2007.
If (for instance) you want to make your ZIP-Drive user-writeable, this normally only works if it is formatted as some Linux filesystem like EXT2/3/4, Reiser, XFS etc. There is a way around this - the drive must be mounted with some special options, look at the parameters umask=, uid= and gid=.  As an example:
mount -t vfat /dev/sda4 /zip -o defaults,gid=101,umask=007
or (in fstab)
/dev/sda4 /zip vfat defaults,gid=101,umask=007 0 0
mounts the drive under Linux as fat16/fat32 with long filenames, the group-id is 101 and the permissions are (0)770. umask bits are 'denial bits' - the bits that are set act to deny the corresponding permissions.  If umask=000 then everyone can do everything with files on the drive - the permissions are then (0)777. This does not really have a lot to do with Samba but it is a typical problem that people who use both filesystems face.

While in this general area, I have 'DOS FAT fs support' and 'VFAT (Windows-95) fs support' enabled in the kernel; 'MSDOS fs support' is disabled. The reason for this is that while VFAT also supports MSDOS partitions/diskettes/drives, updating vfat partitions/diskettes/drives as MSDOS screws up non-8.3 filenames.  (No idea about this in 2007, the standard SuSE/Novell kernels work out of the box).

4.10. GUEST Accounts

The Samba documentation makes clear in various places that the numeric uid (or gid) should not be -1 - this opens a nasty security hole that allows users to obtain 'root' privileges under certain circumstances and also makes printing impossible.
Nothing is said about a value of -2, but the 2.0.x smbpasswd processor gets quite nasty about any negative values.  These include values above 32767.
All this is relevant to guest accounts because Samba's default guest account is 'nobody' and this userid is set up with a negative gid/uid on a lot of systems.
My advice is: use another guest such as 'ftp' - a guest with virtually no rights.
You can set the guest's shell to /bin/false for more security if you wish.  With 'null passwords' set, this is not a bad idea.

I am currently experimenting with

map to guest = Bad User
Which points unknown userids to the guest-userid. This parameter was introduced with Samba 2.0.0 and replaced the old compile-option: GUEST-SESSSETUP.

4.11. unfriendly server software

Look at the 'autoreply' doc on the server. This is actually a very interesting document with a lot of other tips, some of them duplicated and some of them outdated.  The outdated points I noticed are:

4.12. other problems

4.13. HELP - It still does not work

4.14. Samba and NT Domains

Samba servers can join NT domains as members, they can also actually act as Primary Domain Controllers.  Afaik, this did not work for Samba levels below 2.2.0 withWin2k.  A large advantage of the domain concept is that one you have authenticated yourself, you can access all shares in the domain.

4.14.1. Samba as a Domain Member

Look at the DOMAIN_MEMBER.html document that comes with Samba.

One here problem is, once you configure your linux box to join a domain, it starts advertising that it provides authentication services. When the NT PDC is rebooted, it first checks to see if any boxes on the windows network are offering authentication services, and if one is, it assumes that box must already be the PDC and refuses to step into that role.
This problem is documented in the files gotchas.txt that comes with the samba package.

4.14.2. Samba as Primary Domain Controller

As of level 2.2.0, there are two perfectly good docs called samba-PDC-HOWTO.html (but not Samba-pdc-howto.html!!) and samba-pdc-faq.html dealing with this. They come with Samba. Read them.

5. Simple Scripts

These have been written for SuSE Linux and bash.  I keep mine in /root/bin and have their permissions set to 0700.  If you use them, you do so for your own convenience and at your own risk.  I have left the first one here because it is of general interest, the other one has been farmed out .

5.1. Terminating and Restarting Samba

#! /bin/sh
#
# Kill and restart Samba
#
echo -n "Shutting down Samba: "
killproc -TERM /usr/sbin/nmbd
killproc -TERM /usr/sbin/smbd
echo
echo -n "Hit XMIT to delete logs and restart"
read
rm /var/log/samba-log.*
rm /var/log/log.?mb?
echo -n "Restarting Samba "
/usr/sbin/nmbd -D
/usr/sbin/smbd -D
echo " done"
As you will see, it also kills the log files left by the previous version.  You will probably have to change some names because your Samba executables and log files are likely to be somewhere else.  The 2 lines:
       echo -n "Hit XMIT to delete logs and restart"

  and  read
are there because I sometimes want to change something while Samba is down.

For UNIXes/Linux distributions without killproc (Caldera seems to be an example), take a look at killall.  I am told that killall kills *all* processes under Solaris (this seems rather insane), so take a *very*good* look at it before you use it.

Another way of restarting Samba is to issue the two commands:

killall -HUP smbd
killall -HUP nmbd
Obviously, no logfiles are deleted here. Thank you Michael Maclean for this one.

5.2. Postinstall (man)

This Perl script runs after make install or make installman and is needed for each new release.  It may well produce some error-messages when it is trying to delete previous versions of the man-pages, especially if they have already been deleted.

6. Security Aspects

Some general security tips.  This section is not to be considered exhaustive.
Go back to the top