SAMBA Documentation
1. Introduction
1.1. Disclaimer
2. SAMBA Documentation
2.1. Current documentation
2.1.1.man pages
2.2. Other documentation
2.3. SAMBA Web site mirrors
2.4. Getting Help (Newsgroups)
2.5. Samba Levels
2.5.1. Installing a new level
3. Configuration Issues
3.1. SWAT - a configuration tool
3.2. Samba Settings
3.2.1. A Sample Config
3.2.2. Comments on Sample Config
3.2.3. Multiple Configurations
3.3. Client Settings
3.3.1. smbmount
3.3.1.1. smbmount 2.0.6 and above
3.3.1.2. Older versions
3.3.1.2.1. Linux 2.0 Kernels
3.3.1.2.2. Linux 2.2 Kernels
3.3.1.2.3. smbmount 2.0.5
3.3.1.3. Recompiling smbmount
3.3.2. smbsh
3.3.3. Win clients
3.3.3.1. Win2K, XP
3.3.3.2. Win NT
3.3.3.3. Win9x
3.3.3.4. Win 3.11
3.3.4. MSCLIENT - Smb client for DOS
3.3.5. Other Clients
4. Simple Solutions
4.1. Correct passwords being rejected
4.1.1. Username in error
4.1.2. Password in error
4.1.2.1. Password case-error
4.1.2.2. Encryption
4.1.2.2.1. Some background info
4.1.2.2.2. encrypt passwords = no
4.1.2.2.3. turn encryption on
4.1.3. IPC$
4.2. OPLOCKS
4.3. Samba is slow?
4.4. Time-outs, Network Busy
4.5. Browsing
4.5.1. Within a Subnet
4.5.2. Across Subnets
4.6. Printing
4.7. CR + LF
4.8. Filenames with International chars
4.9. Setting UNIX Permissions under Samba
4.9.1. Updating non-native-Linux partitions
4.10. GUEST Accounts
4.11. unfriendly server software
4.12. other problems
4.13. HELP - It still does not work
4.14. Samba and NT Domains
4.14.1. Samba as a Domain Member
4.14.2. Samba as Primary Domain Controller
5. Simple Scripts
5.1. Terminating and restarting Samba
5.2. Postinstall (man)
6. Security aspects
ignore these links
This is a Samba web site. It is not 'official' but contains
pointers and answers to most of the problems I feel qualified to talk
about. Although I hope that the answers I give are correct, there have
been errors in the past. I can be reached under
andrewDOTwilliamsATgmxDOTnet . Whilst the beast is fairly up to
date (May 2003 and version 2.2.8a), my
current job means that I have neither time nor the inclination to
follow all
new developments. Most of the recent developments have been in
supporting
the NT/W2K/XP RPCs, I have nothing to do with such an environment.
Minor editing in September 2007 to
change obviously outdated stuff.
Ever since Samba 2.0.7, the O'Reilly book Using
Samba has been distributed with the Samba sources and accessible
via SWAT. I will be referring to it a lot in
this
document. There are still references to levels older than 2.0.7 in this
document, but I they will be minimised if I ever find the time.
One thing you will not find here is an exact description of how
Samba
should be started after a boot. There are two different ways: via
inetd/xinetd
and as a daemon and both the document UNIX_INSTALL.txt and Section 2.5
of
Using Samba describe both in some
detail. SuSE Linux starts it as daemons (the preferred method)
via a script and
I do not feel able to comment on problems you may have starting by hand
on
other systems.
Even so, my script shown below shows what must be
done. Depending on your
configuration there may be more daemons than just nmbd and smbd.
The only one I know about is winbindd - password control for large
installations.
This document and all associated documents are provided on an 'as is'
basis, the author assumes no liability for damage directly or
indirectly
caused by following this advice.
This warning is here as a precaution, I have no reason to believe that
there is anything wrong with the advice here, but you never know . . .
Documentation comes with Samba, on the website (mirrors), in various
books and in sites such as this.
The list of the Samba documentation files for the current level is now another document.
This list is for version 2.2.6., the ones in italics are new
for 2.2.x levels. The ones marked in bold are especially
important (smb.conf is the Samba bible).
findsmb.1 make_smbcodepage.1
make_unicodemap.1 nmblookup.1 rpcclient.1
smbcacls.1 smbclient.1
smbcontrol.1 smbrun.1 smbsh.1
smbstatus.1 smbtar.1 testparm.1 testprns.1 wbinfo.1
lmhosts.5 smb.conf.5 smbpasswd.5
samba.7
nmbd.8 pdbedit.8 smbd.8 smbmnt.8
smbmount.8 smbpasswd.8 smbspool.8 smbumount.8
swat.8 winbindd.8.
Nowadays the man-pages are also released as html documents in
samba/docs/html. RTFM, you have no excuse :-)
Books on Samba used to be rare, not any more - my local technical
bookshop stocks about 10 different ones. Here are the ones that I have
personal experience of.
- John Blair's Samba book
was released in 1998 and covered releases up to 1.9.18.
Unfortunately it is now totally out of date.
- SAMS 'Teach
Yourself Samba in 24 Hours' by Jerry Carter and Richard Sharpe
(Samba Team members). It came out in April 1999. I have it and
was happy with it back then, it covers up to level 2.0.3. The PDC
and SWAT features are
documented here but the NT ACL stuff is not, that came with 2.0.4. It
is
also starting to age.
- SAMS 'Samba
Unleashed'. I just got a quick look at this one and was amazed at
the sheer scope of
this book. It was written by a large number of people from
various
viewpoints, I think they were originally recruited by trawling
contributors
to the Samba Newsgroup. Features still in development were
discussed
and a website exists with dynamic updates to the book.
- Using Samba
(O'Reilly) by Robert Eckstein, David Collier-Brown and Peter Kelly came
out in November 1999 under an open-content license. The book was then
adopted by the Samba Team as the "official" Samba book and is kept up
to date. It has been released with Samba directly since level 2.0.7 and
is directly accessible from SWAT. I now refer
to it a lot in this text.
The paper first-edition covers 2.0.4b.
The book can also be viewed
online, the only thing missing from it is a description of smbmount.
The normal documentation is (of course) in your Samba $(BASEDIR)/docs
(/usr/local/samba/docs in my case) or its subdirectories
if you downloaded Samba, or in something like /usr/doc/packages/Samba
if you did not.
Websites you could look at are:
- The 'linux cookbook'
project with 'basic Samba' and 'intermediate Samba (under
construction)' entries. I like the first one (lucid, accurate)
and assume that the second one will be accurate as well.
- Benoit Gerrienne from Belgium linked his web-page (English and French)
to mine without asking me, I have no compunction in linking back. He
knows
what he is talking about and has stuff on Samba as a PDC - an area I
know
nothing about.
- This
site is heavily tailored to RedHat 6.0/Samba 2.0.3 and has not been
updated since (last time I looked). It is well-written and
contains some interesting ideas that I need to find time to test - this
guy knows both Samba and Linux well. Where it falls down a bit is
that printing and the encryption issue are pretty much ignored.
This list was hijacked from the servers listed here in May 2002 and
will be out of date (new mirrors are coming and going all the time):
Web Sites
Please choose your closest web mirror site:
Download sites
These contain the source and binary distributions but not the web
pages.
Please refer to these mirroring instructions
for information on mirroring the Samba web pages.
Non-English
Here you will find non-English starting points for Samba information.
Other sites in samba.org
You will find the following information there:
- Release Documentation for recent levels
- Pointers to the Man Pages
- Pointers to other documentation, in particular:
- The Current Sources
- Tools, such as Samba GUI managers
- Samba Ports to various platforms, including VMS, MVS, Novell
- A list of clients for various platforms
- more . . .
I have seen 2 newsgroups that concern themselves with Samba:
While I am not sure what the original reason for the existence of the
second one was (other than the people who frequent it not knowing about
the first one), it has also developed into a useful forum. If you
have problems with passwords being rejected or 'station not
authorised', do not bother the groups anyway - look at the 'encryption' pages here.
The document WHATSNEW.txt - which comes
with the sources - lists all new features and fixed bugs for a new
level.
If you are migrating from a pre-2.0.0 level, read the last part of the 2.0.x version it before doing anything
else.
The two main problems in migrating are that the default for 'security'
changed
from 'share' to 'user', and that the smbpasswd format changed - see below for more on this.
- 4.0 is in testing in 2007.
- 3.0.25c is current in September 2007.
- I have no idea what was
introduced when between 2003 and 2007 ;-)
- 2.2.8 and 8a were security updates, 2.2.8 also contained some new
features and fixes. WHATSNEW is your friend.
- 2.2.7a contained bugfixes to 2.2.7
- 2.2.7 was a security update with some other incidental updates
- 2.2.6 and 2.2.5 are mostly bugfix updates. The WHATSNEW has a
summary.
- 2.2.4 was mostly a bugfix update. The WHATSNEW has a summary,
apparently some nasty new bugs were introduced here as well.
- 2.2.3a replaced 2.2.3 rather quickly. The main changes here are
the LDAP interface and fixes to winbindd.
- 2.2.2 was the first release to include the winbind daemon. This
code allows UNIX systems that implement the name service switch (nss)
to be entered into a Windows NT/2000 domain and use the Domain
controller for all user
and group enumeration.
This allows a Samba server added to a Windows domain to serve file and
print services with no local users needed in /etc/passwd and
/etc/group - all users and groups are read directly from the Windows
domain controller. In addition with pam_winbind which allows a PAM
enabled UNIX system to use a Windows domain for authentication service
this allows single sign on and account control across UNIX and Windows
systems.
This level also had some important oplock fixes
- 2.2.1a contained mainly bug fixes. 2.2.1 contained a minor
(?) bug and was replaced after a few hours.
- 2.2.0 introduced Linux support for files > 2GB and kernel
oplocks (2.4 kernel necessary). It was superceded by 2.2.0a which
disallowed %m for
security reasons. %m has since returned.
- 2.0.10 was a security fix to 2.0.7 with no new functions, the WHATSNEW.txt has the details.
- 2.0.6 saw the smbmount rewrite completed.
- 2.0.5a saw a rewrite of 'smbmount' with reduced functionality and
different syntax. The older version had a major security hole.
- 2.0.0 was a major feature-release, the feature being the ability
join a domain belonging to an NT PDC.
Quite apart from the new features, all 1.9.18p10 bugs I know of were
fixed in this version.
- other 2.0.x levels no longer concern us.
Here is the WHATSNEW.txt
for 1.9.18p10 - it lists the bugs and security holes that were fixed up
to that level.
- 1.9.18p10 was the last 1.9.18 version and it fixed all then known
bugs. A speed problem with Win98 was also fixed here. I saw
no official bug reports (or fixes) against it, although the
following
problems with WfW 3.11 and Dos clients were confirmed.
- The directory entries '.' and '..' no longer appeared, although
typing '../' worked
- Printing no longer worked, at all. ;-(
- The ´smb passwd file´ statement was ignored by the
smbpasswd program (nothing to do with WfWg/Dos)
- (documentation for older levels deleted, you can always look at
the 1.9.18p10 WHATSNEW.txt
)
I know of no reason why anyone would want to install or even know about
the features of a version other than a current one, 2.0.10, or maybe
1.9.18p10. Levels older than 1.9.18 needed special libraries (libdes)
to be compiled in in order to support encryption.
This description is written for Linux and the Bash shell. There is a
fundamental difference between normal 'installed' versions of Samba and
those that are downloaded - the original ones are integrated into the
standard files and downloaded ones have been prepared to land in the
/usr/local/samba tree.
Since the /usr tree should ideally be read-only, my options modify this
behaviour. This version is for Samba 2.x levels, the older version of this section is still
available, you might want to look there if you are installing Samba
1.9.18.
Sections 2.2 and 2.3 of Using Samba
cover this area in more detail.
Under SuSE for example, the version as originally installed has:
- The Daemons (smbd and nmbd) in /usr/sbin, along with swat.
- All other executables in /usr/bin
- smb.conf in /etc/samba
- smbpasswd (the password file, not the executable!) in /etc,
although I prefer to have it in /etc/private
- The man pages are in the /usr/man/ subdirectories. In addition,
they are in .gz format under SuSE, this is a problem - 'man' goes
for the '.gz' version first when confronted with both. If you do
not have
these problems, consider adding the '--mandir' option.
Since './configure' offers the ability to change most of these default
placements, I now have a mini-script to carry this out. This version is
for 2.2.x levels only, replace --exec-prefix=/usr with
--bindir=/usr/bin for 2.0.x
levels and then set up links between /usr/sbin and /usr/bin for the
smbd,
nmbd and swat executables. (no
idea if this still works with 3.0 levels!!)
#! /bin/sh
#
# Set my Samba default stuff
# --sbindir is necessary because ./configure has a bug
./configure --exec-prefix=/usr --bindir=/usr/bin
--sbindir=/usr/sbin --with-smbmount
--with-privatedir=/etc/samba/private --libdir=/etc/samba
--localstatedir=/var/log/samba --with-lockdir=/var/lock/samba
(Careful with line-wrap, that last line is very long). Going through
these './configure' options:
- --exec-prefix puts the executables into /usr/bin and /usr/sbin
- --bindir is only necessary with levels which ignore the above line
- --sbindir is because the default is/was not as it should be (bug)
- --with-smbmount is essential if you use Linux with a 2.2.x (or
higher) kernel.
- --with-privatedir specifies the location of the 'smbpasswd'
file. Since this is in smb.conf anyway, this line is actually
unnecessary :-)
- --libdir specifies where 'smb.conf', 'lmhosts' and the
'codepages' directory are. The first file is (of course) critical.
- --localstatedir only affects 'log.nmbd' and 'log.smbd'
- --with-lockdir is set here to avoid updating /usr/local/samba/var
- using --mandir would break the Perl
script I have written to delete the old and copy the new man-pages.
The two issues that this does not resolve are that 'nmbd', 'smbd' and
'swat' go to the '--bindir' directory under some levels, and (SuSE
only)
the man-pages.
These are the '/configure' options I use. Try './configure
--help | more' to see if any other options could apply to your
system. If you
identify an option that looks good, check its usage in the generated
'Makefile'.
If you get 'fatal signal 11' under Linux, suspect the hardware and look
here.
While I have scripts for some of this, they are
pretty primitive and do not do all the work.
The 10 (or so) steps to heaven are:
- Obtain the new level from a Mirror-Site
- Go to /usr/local and issue
rm samba
gunzip -c samba-2.x.x.tar.gz | tar xf -
ln -s samba-2.x.x samba
you will now have a new directory: /usr/local/samba-2.2.8 (for example)
and a 'samba' link to it
- Go to subdirectory 'source' in this new directory
- If you want to totally re-initialise this directory after a
botched configuration attempt, 'make distclean' will do this.
- For 2.x levels, you can now issue your './configure' to create
your Makefile, go back 30 lines here above for more details :-)
If you have a 1.x level (and why are you installing an ancient level?)
then you will have to edit 'Makefile' in this directory. A Samba
generated under a Linux 2.0 Kernel will not work under 2.2 kernels or
higher, you will have to repeat things starting with this step. I
do not know if this applies between 2.2 and 2.4 kernels because I
upgraded both at the same time anyway.
- make (if you have changed something and are repeating this step,
you can do a 'make clean' first)
- Go back to samba/source and issue 'make install'
- If this is your first downloaded version and it is below 2.2.0,
you will need to go to /usr/sbin and then issue
mv nmbd nmbd.old ; ln -s ../bin/nmbd nmbd
mv smbd smbd.old ; ln -s ../bin/smbd smbd
mv swat swat.old ; ln -s ../bin/swat swat
- The last step is to replace the man pages. This script should do the job, it needs
Perl.
Hopefully this will work for you. It has worked for me over several
levels on several machines.
The 'man swat' documentation is a very good place to start, although I
am paranoid enough to use TCP-Wrappers. To use swat with
TCP-Wrappers, in /etc/inetd.conf, take the line
swat stream tcp nowait.400 root /usr/sbin/swat swat
and change it to
swat stream tcp nowait.400 root /usr/sbin/tcpd /usr/sbin/swat
/etc/services needs a line
swat 901/tcp
hosts.deny needs the line
swat: ALL
In /etc/hosts.allow you need
swat: 127.0.0.1
and maybe a second IP address or range as well on that line if you are
feeling adventurous.
Since version 2.0.7, Using Samba can also
be accessed via SWAT.
There are also a number of examples in the Samba documentation, look
for a subdirectory called 'examples'. Another possibility is the
use of 'swat'; I followed the 'man swat' documentation, went into
'localhost' as root and all was fine. Swat cannot handle
'include' or 'copy' statements.
; Configuration file for smbd.
; For the format of this file and comprehensive descriptions
of
all the
; configuration option, please refer to the man page for
smb.conf(5).
;
[global]
; workgroup = WORKGROUP
null passwords = yes
guest account = ftp
netbios name = mightyserv
; netbios aliases = redeyes
lock directory = /var/lock/samba
security = user
debug level = 2
log file = /var/log/samba/log.%m
max log size = 50
; I want to lose elections, the next 4 lines ensure that I do
local master = no
; domain master = no
; preferred master = no
; os level = 0
wins server = 194.10.20.55
; interfaces = 10.20.30.40/24 194.10.20.30/24 127.0.0.1/8
; name resolve order = lmhosts host wins bcast
; time server = yes
load printers = yes
; client code page = 850
character set = ISO8859-1
server string = host %h Version %v for %I
; update encrypted = yes
encrypt passwords = yes
smb passwd file = /etc/private/smbpasswd
username map = /etc/samba/username.map
veto files = /*.eml/*.nws/riched20.dll/
; socket options = TCP_NODELAY IPTOS_THROUGHPUT
SO_RCVBUF=4096 SO_SNDBUF=4096
[tmp]
comment = Temporary file space
path = /tmp
writeable = yes
public = yes
create mask = 0777
dos filetimes = true
[homes]
comment = Home Directories
writeable = yes
browseable = no
dos filetimes = true
; veto files = /.*/
valid users = %S
[printers]
comment = All Printers
printable = yes
browseable = no
path = /var/spool/lpd
writeable = no
guest ok = yes
print command = /usr/bin/lpr -r -P%p %s
; print command = cp %s /var/spool/lpd/print_%p
; printing = bsd
[redcd]
comment = %h CD-Rom
path = /cdrom
preexec = /bin/mount /media/cdrom
postexec = /bin/umount /media/cdrom
writeable = no
Look at the 'man' pages for 'smb.conf' for better explanations - this
document is kept current and is the reference document for
config
issues.
- [global]
- [tmp]
- create mask = 0777
Allows all users full access to all files here, see Setting
UNIX Permissions .
- dos filetimes = true
This can be important, look at the man page.
- [homes]
- valid users = %S
restrict people to their own home directories
- veto files = /.*/
Should means that files where the name starts with a '.' are totally
invisible, even if the client can see hidden files. This did not
work for a long time (2.0.?? to 2.2.4), it also slows Samba down.
- [printers]
- path = /var/spool/lpd
I set the permissions here to 1777. If your userid cannot create files
in this directory, you get very strange errors because this is not a
condition that Win clients understand - see Printing.
- print command = /usr/bin/lpr -r -P%p %s
This is (or should be) the default for Linux. I have seen a claim that
version 2.0.2 had an error here so if 'testparm' comes up with
something crazy,
be prepared to enter something by hand here. The alternative 'print
command'
line can be used to debug printing.
- ; printing = bsd
Again, this should be the default for Linux systems and is for mine.
Apparently this was was not always the case in 2.0.x levels below
2.0.5. An alternative is 'printing = cups' which also needs
'printcap name = cups'.
- [redcd]
- This is a CD-Rom share, it serves as an example of a
read-only share - the same statements can be used for a disc share as
well, although you
should look at the OPLOCKS section.
There are sometimes cases where you will wish to have multiple
configurations, these fall broadly into two categories:
- The maximum number of shares / printers has been reached - this
seems to be around 145 (shares) or 50 (printers)
- You want mutually exclusive options, for example 'security =
share' for printing and 'security = user' for directories.
John Blair's Samba book
has an elegant solution in Chapter 10 (Other Tricks and
Techniques) under 'Using Share Level and User Level Security at the
Same Time' - Page 257 in my (first) edition, sections 4.3 and 4.7 of Using Samba
cover the same ground.
/path/smb.conf contains the header [global] and the statements in
this section common to both (all) configurations, and then:
- netbios name = sambadirs
- netbios aliases = sambaprs
- include = /path/smb.conf.%L
/path/smb.conf.sambadirs contains 'security = user' (no [global]
section header) and all of the services that want 'user' security
/path/smb.conf.sambaprs contains 'security = share', 'load printers
= yes',
the guest stuff and the services that want 'share' security.
Clients latch on to either 'sambadirs' or 'sambaprs' (or both) in
their 'Network Neighbourhood'.
Be warned that %L is case-sensitive.
The only problems I have encountered with this technique is that
'testparm' no longer works and swat cannot be used.
There is an example of this in subdirectory examples/tridge. I
find it rather messy but it demonstrates a lot of principles ;-)
The smbmount and smbumount programs were originally not part of the
Samba suite (and were not maintained by the Samba team) although they
were distributed with it. Starting with Samba 2.0.5, they
are. Smbmount was rewritten for Samba 2.0.5 and again for
2.0.6. The syntax changed (again) each time. With 2.0.7, a
document called smbmount.txt was
added to the Samba Docs, it is identical
to
the man-page since level 2.2.0.
Urban Widmark is now the maintainer for smbmount/smbfs. (smbmount is outdated, try man mount.cifs which is fairly
similar)
A tool called smbsh has been introduced in
Samba 2.0.x.
It is part of the Samba-suite and runs on most Unixes, but not Linux.
The package RUMBA is the other equivalent of SMBFS for non-Linux
systems.
Smbmount/smbumount are not normally compiled by default when you
load a
new level, even under Linux. Look at the relevant
subsection for more on this. The commands in this section have been
tested under all recent SuSE Linux levels and other Linux distributions
will work the same way
Be warned that smbmount for a Linux 2.0 kernel would not work under
a
2.2 kernel, even the syntax was totally different.
So, to summarise the version information:
- if your kernel level is 2.0.xx look
here.
- For 2.2.xx kernels (and above), your Samba level becomes
important
- for Samba 2.0.6 and above look here
- for 2.0.5a here
- for lower levels here.
The Kernel needs the 'SMB Filesystems' option set - something that is
not otherwise necessary for Samba.
smbmount (all levels, as far as I know) has one significant problem
- directory
entries are not automatically refreshed.
To illustrate this, Machine A is running some version of Windoze.
Directory temp is exported (update access). Someone
working on
machine A creates and deletes subdirectories and files.
Machine B is accessing A's exported temp.
- If B is running Windoze, looking at a subdirectory of temp and
then the main directory causes the directory listing to be refreshed
and brought up to date.
- If B is running Linux and smbmount, it can take 10 or 15 minutes
for changes to be recognised. The best solution at the moment
seems to
be to create, delete or rename some file in this directory via
smbmount,
the directory information is then updated.
This version completes the Samba 2.0.5a rewrite. The man smbmount
documentation is now current again. This time, the syntax is that of
the 'mount' syntax - an indication that it will not change again. smbmount
-h also tells you how to use it.
Imho, some of the previous versions of smbmount were a mess. This
version is excellent and should be around for a long time. it now
has been!
:-)
The actual command is:
smbmount //machine/service /MountPoint -o option,option
or
mount -t smbfs //machine/service /MountPoint -o option,option
The options that I consider most useful are:
- username=userid, userid%password or even
user/workgroup%pass
- password=password
- guest (no password)
- uid=uid the imported files should have on this machine
- gid=gid the imported files should have on this machine
- fmask=file permissions the imported files should have on this
machine
- dmask=directory permissions the imported files should have on
this machine
- ro read-only
- rw read-write (update)
The other options are: netbiosname, port, debug, workgroup, sockopt and
scope (of NetBIOS). Just look at the very concise man-page. To
quote the man page: 'smbmount calls smbmnt to do the actual mount, You
must make sure that smbmnt is in the path so that it can be found'.
You want an example?
smbmount //machine/service /mountpoint -o
username=user%pass,uid=dustpuppy
or
mount -t smbfs //machine/service /mountpoint -o
username=user%pass,uid=dustpuppy
The two commands are functionally identical. When I tried
adding the second version to /etc/fstab, it failed because the mount
was attempted before networking had started. At least 'mount -a' then
works.
For some arcane reason, SuSE 6.4 claimed that only the second
version of
the syntax above works. This is simply wrong.
First tests of the 2.0.7 version seemed to indicate that Linux hung
on a reboot if any smb-mounted drives have not been previously
unmounted. This bug was also present in the 2.0.5 version, but
not 2.0.6. I think this is fine nowadays (2.2.x).
The only reason I can think of for using an older version of smbmount
would be a 2.0 Kernel. Here is how to use older versions, together with
which documentation can be trusted (often only smbmount -h).
Be prepared to ignore the 'man smbmount' documentation, it may well be
for Linux 2.2 and inappropriate; smbmount -h tells you
what you
need to know.
The actual command is:
smbmount //machine/service /MountPoint -U userid -P password
If you leave the '-P password' and '-n' out, you will be queried for a
password.
Other useful options in my version are:
- -n - no password
- -u - numeric uid the imported files should have on this machine
- -g - numeric gid the imported files should have on this machine
- -f - octal bitmask for the file permissions on this machine
- -d - octal bitmask for the directory permissions on this machine
- -C - do not convert password to uppercase (if I want uppercase, I
type uppercase)
- -h - if you want to know more.
Once you have finished, there is also the
smbumount /MountPoint
command.
This does not apply to the smbmount versions released with Samba
2.0.5 and above.
The man smbmount documentation, is more helpful here, but
still partially incorrect; man smbmnt gives more clues
and smbmount -h will tell you some the rest. Experiment!
The actual command is:
smbmount "//machine/service" password -c "mount
/MountPoint" -U userid
The -N option (no password) can be used instead of a password, the
password can also be supplied as -U userid%password
Other useful options that can be passed with the "mount" command
are:
- -u - numeric uid the imported files should have on this machine
- -g - numeric gid the imported files should have on this machine
- -f - octal bitmask for the file permissions on this machine
- -d - octal bitmask for the directory permissions on this machine
And the '-d debuglevel' option (outside the mount sub-command) to turn
debugging on. This is overridden by the smb.conf setting anyway.
Once you have finished, there is also the
smbumount /MountPoint
command Having said this; if you (as I did once) have SuSE Linux
6.1, you have a problem. Either download their kernel-module fix
from their web-site to fix it, or upgrade your kernel.
If you get 'too many files open in system' and have the 2.2.9
kernel,
upgrade to another level.
In this version, the man smbmount documentation is simply
wrong. The previous version of smbmount was a 'hacked up version
of the old smbclient code' and contained a major and critical security
hole. The version here was cleaner, was rushed out, was missing
some functions and was ahead of the documentation. This changed
with 2.0.6 but that is another section. smbmount
-h tells you how to use this version.
The actual command is:
smbmount //machine/service /MountPoint -U userid
Which is a lot like the original smbmount
documented above. The -N option (no password) can be used instead
of a password, the password can also be supplied as -U userid%password
I am told that the -W (workgroup) option actually passes the
domain . This version really was a 'rush job'.
Once you have finished, there is also the
smbumount /MountPoint
command. I strongly recommend this because if I forget this step,
my Linux hangs up while unmounting filesystems when I next try and
boot. Your
mileage may vary on this point, some versions hang and some work.
The version of smbmount released with Linux 2.0 distributions was only
suitable for Linux 2.0 kernels, the recent downloaded Samba sources
supply a newer version which will work under levels > 2.1.70,
2.2.anything or 2.4.anything but not under older levels such as
2.0.anything . If you have a newer version of Linux, then
issue the './configure --with-smbmount' at the appropriate
time.
When you re-compile Samba, the default directory for smb.conf is
/usr/local/samba/lib. Since I keep my config in /etc/samba, this
necessitates a symbolic link between the two.
All I know about smbsh is that it allows access to NT filesystems using
Unix commands. The commands have to be dynamically linked for it
to work properly. smbspool (look at the man-page, newer levels
only) is the equivalent if you want to access a SMB printer.
The 'smbsh' man-page (2.0.3 and above) and file README in
samba/source/smbwrapper give some clues as to what smbsh should do.
You can compile it on supported systems (see that README file) with
'make smbwrapper' or by adding the '--with-smbwrapper' option to the
./configure.
Linux systems with glibc-2.1 and above (and guess what I have . . .)
are not supported - the glibc maintainers deliberately removed the
necessary
hooks; apparently they do not like user-space filesystems.
This part is very general, look immediately below for settings specific
to certain platforms.
- You need to activate/add 'Client for Microsoft Networks'
- MS File and Print sharing must be activated
It is up to you whether you want to share local resources or access
external resources - check the appropriate box.
- TCP/IP is necessary
- IPX/SPX slows things down, kill it if possible
- NetBEUI is not supported at all by Samba. In February 2000,
a company called Procom announced
a
GPL'd NetBEUI Stack for Linux, specifically with Samba in mind.
Until
this trickles through to the Kernel (2.5 Kernels seem to have it),
disable
NetBEUI. (Who cares about
NetBEUI in 2007 anyway?)
Those are the minimum requirements. If you are capable of setting
up TCP/IP Networking under Linux, I assume you can do the same under
various flavours of Windoze. WINS support is discussed in the
section dealing with Browsing .
NT Versions starting with NT4 SP3, Win95B and above, all Win98/ME,
Win2K
and XP versions need encryption turned on under
Samba, or the appropriate registry hack to be applied. My personal
preference is for the first option - it makes things easier in the long
run.
Samba can act as a Domain Controller.
This functionality is improving all the time.
You may have read that Win2K / XP no longer support WINS. This
is apparently
an option that can be set in networks where only Win2K
/ XP is
running. Apart from this, I believe these levels can be treated
substantially
as NT4.
Win2K ACL support has been turned on since around 2.2.2.
Section 3.2 of Using Samba covers Win NT
clients.
Warning: The rest of this section comes from various pieces of
documentation. I have included it here because the questions are
asked so frequently, not because I have experience in this area.
Apart from the WinNT.txt and DOMAIN_CONTROL.txt docs mentioned above,
there is a 'FAQ for Samba NTDOM PDC support' on
the Samba Sites.
- 1.9.18pxx levels were NOT capable of joining domains belonging to
NT 3.51 or 4. PDCs. This code was released in version 2.0.0. The
ability to make a Samba machine act as a PDC documented
below .
- The NT Domain client coding also came in version 2.0.0. A
new
security option: 'security = domain' was also implemented at this point.
- Any coding to implement these features in older versions was
experimental.
- System Error 1240 indicates that you have fallen foul of the encryption issue.
If NT is used for user-validation, Samba always tries to logon twice -
the first time with an invalid password (1F1F1F . . ). If this
first
attempt succeeds, Samba treats the NT machine as a security risk and
refuses
to use it.
This is necessary because Samba does not know if the first attempt
succeeded because the user/passwd were correct or because guest-access
was configured on the NT machine. Since the user may have been 'root',
this difference is
important. As of level 2.0.4, this behaviour is documented.
NT ACL support was activated with Samba 2.0.4.
Section 3.1 of Using Samba covers Win9x
clients, it comes with lots of pretty pictures. :-)
Level 1.9.18p10 had problems with this client,
you will also run into problems with all levels if directory /
filenames
/ share-names (printers!) do not comply with the 8.3 naming
restrictions.
Much to my surprise, I once needed to hook a DOS 6.2 client up to a
network. MS offer a client which can be downloaded and installed under
DOS. It helps if the network-card you use is of an older type.
The software can be downloaded from Microsoft
® and consists of two self-extracting .EXE files which fit onto
one floppy.
Follow the usual procedures with such files. When you get to the
proper setup-screen, you will see that this client expects a network
with ipx/spx networking, and DHCP. You will need to add (and configure)
TCP/IP, remove ipx/spx and (presumably) give yourself a static
IP-Address by turning auto-configuration off.
To remove ipx/spx, move the cursor to it, tab to the other box and go
to 'remove'.
To configure TCP/IP, follow the same procedure - position the cursor
over it (upper box) and then tab to the lower box and the 'Change
Settings' line. The rest seemed pretty obvious.
Once it has been installed, the NET USE X: \\server\sharecommand
gives you access to the outside world. I did not see any evidence that
shares could be exported from Dos, but apparently this is also possible
with extra software.
There seems to be no way of accessing DNS or WINS services from this
client, it is back to good old \net\hosts
There is a client for the Mac which is called DAVE. That is all I know
about it. Look at Macintosh_Clients.txt
for more.
OS/2 apparently can also act as a client or server for SMB
services. The 'lm announce' and 'lm interval' parameters are set
up for this OS. Again, look at
OS2-Client-HOWTO.txt for more.
There are several different possibilities here.
- At least some MS clients convert Userids and Passwords to
uppercase. Samba attempts to make sense of this by trying various
upper/lower-case
possibilities. Samba may not be trying hard enough for you.
- Win95b, Win95c, Win98, WinME, Win2k, XP and NT 4 with SP3 (or
higher) pass encrypted passwords. If your Samba Server cannot handle
these then
you have a problem.
- Your encrypted-password entry may be disabled. There will
be
a [D . . . ] flag at the end of the line in the smbpasswd
file. Enter 'smbpasswd -e userid' as root to fix it.
- Your encrypted-password entry may not match it's /etc/passwd
entry,
specifically: the numeric uids may be different. I have no idea
how
this can happen but have seen it twice now so it needs mentioning.
If it is not already obvious which one applies to you, set 'debug level
= 3' and look at your logfiles. Remember to set it back down again
afterwards.
Samba's default behaviour is to try converting the incoming Username to
lowercase. If that works then fine, otherwise the first char is
converted to Uppercase and it tries again.
If this is not enough for you, there are 3 ways of handling this
problem.
- look at the 'username level' parameter
- Using a 'username map' file, map the lowercase versions to the
mixed case versions you actually have.
- Create the user-accounts as lowercase on the Samba machine
I have seen it claimed that Samba 2.0.0 truncated names on 7 characters
- a bug.
Assuming you have not got a real password-error, or that you have
accidentally come in as your 'guest account', the problem is almost
certainly encryption.
WfWG 3.11 also converts passwords to uppercase under certain
circumstances. The 'password level' parameter exists to force varying
combinations of upper and lower case.
Newer versions of WinNT (with SP3) and Win95 (Win95b and Win95c), along
with all versions of Win98, WinME, Win2k and XP only send encrypted
passwords down the line. This is a security feature and one that makes
sense. There are two ways to go about accommodating such clients - one
is to turn encryption off for them, the other one is to turn it on on
the Samba server.
I personally consider encryption to be a 'good thing' (the alternative
being to 'hack' all new clients) and recommend introducing it before
you actually need it.
Encryption is compulsory if 'security = server', it is permitted for
'security = share/user' and rather irrelevant for 'security = domain'.
If you migrate from a 1.9.xxPyy level to a 2.0.x level, you will run
into the problem that the smbpasswd file format changed. The
symptoms are that the entries pick up a large unfriendly D (for
Disabled) at the end
of each line. Run convert_smbpasswd to fix it. The
smbpasswd
processor also has an option to enable disabled passwords, 'man
smbpasswd'.
The whole smbpasswd discussion in the remainder of this section
appears to be unnecessary for 'security = server' and 'security =
domain' because authentication is handled on another machine - only the
userids are used.
A Samba Server with encryption turned on can also handle unencrypted
clients (although they have to be in 'smbpasswd') at least for 1.9.18
and 2.0 levels. Although some people have reported problems here,
they turned out to be
configuration errors.
If you have an older level (below 1.9.18p1) then consider upgrading
if you need encryption. It is still possible with some of these
levels but it needs the DES libraries and they were sometimes difficult
to obtain (US export restrictions).
There are two different encryption schemes - 'LanManager' (win9x /
winME) and WinNT / W2000 / XP. Samba can handle both and stores
both in 'smbpasswd', this is the reason for the curious structure of
the smbpasswd file. The LanManager scheme is also relatively weak
and it is quite easy to reconstruct a password from it's encrypted
value, this is the reason why the 'smbpasswd' file has to be kept very
secure.
The smbpasswd command (man smbpasswd) is used to maintain
the file once it has been created. Root can use it on all
userids, other users on themselves.
If you want to change a password from a Win client, you can change
either the /etc/passwd or /etc/shadow password (plaintext passwords
only) or the smbpasswd password (encrypted passwords only). Not
both, unless you count the 'update encrypted = yes' option which is
used to populate the
smbpasswd file before encryption is turned on.
Here are some Password-Sync lines contributed by Benoit Gerrienne in
Belgium - he tested them with Samba 2.0 under RedHat 5.1, presumably
with plaintext passwords:
unix passwd program = /usr/bin/passwd %u
passwd chat = *new*password* %n\n *new*password* %n\n
*successfully*
password sync = yes
He also says that 'debug level' should be at least 100 to get the debug
of the password chat, and that %u means %u and not %U
To change an encrypted password, use Neil Hoggarth's
suggestion
as a starting point:
(echo "oldpasswd"; echo "newpasswd"; echo "newpasswd") | smbpasswd -s
This can be a temporary measure (see
'migration path') or a permanent one. See the 'Win95', 'WinNT' and
(for a general discussion) the
'ENCRYPTION'
docs.
These instructions have their own web-page.
The share IPC$ is implicitly defined under the SMB protocol - it
contains the names and descriptions of all exported Directories and
Printers on a server. This share obeys the standard rules imposed by
the 'security = ' line
in [global], using the user-account needed by the other shares. This is
necessary
because IPC$ has to come up with (for example) the correct [home]
directory
for someone who says 'valid users = %S'.
I once tried defining [IPC$] explicitly in order to make it more 'guest
friendly'. This was not a success - nothing worked.
If your IPC$ passwords are being rejected by the client, even though
they are nominally correct, take a look at my Encryption
stuff
Samba 2.0.x levels starting 2.0.4 had a
document saying the same as this section; File-Cacheing.txt. 2.2.x
levels dropped it
again. Maybe this is partially outdated :-)
OPLOCKS are Opportunistic Locks and are turned on by default
in levels 1.9.18 and above. They allow clients to obtain
exclusive use of a file and cache any changes made locally. This
is a speed feature that NT implements and is the main reason why NT had
outperformed Samba
under previous levels.
They can be turned on or off (or even faked - I used this feature
for
read-only shares under 1.9.18) at the share level. Samba 2.0.5
introduced
'level2 oplocks' which can be set for shares that are normally
read-only
and speed things up a lot.
Oplocks do have two drawbacks - One is that the 'client caching'
only
applies within Samba, if you need to access files concurrently via
Samba
and any other mechanism, turn them off
for this
share unless kernel oplocks are available.
'Any other mechanism' means any non-Samba access at all on the Samba
server, directly or via NFS.
In practice, if you save a file on a Samba server and then pick it up
directly, it will probably work. At the worst, you will see the
previous
version.
Databases are a lot less fun and are the second drawback -
client-side caching is something-you-do-not-want? on a multi-user
database or any other file with a number of concurrent users. You
could also try 'veto oplock files = /*.xxx/*.yyy/' to prevent oplocks
for certain extensions on a share.
The oplock coding was rewritten for Samba 2.0.0 - the new kernel oplock interface implementation is now
compatible with other processes, as long as these are supported by the
operating system.
Operating systems that currently support the new implementation are:
- IRIX 6.5.2f and above
- Linux Kernel 2.4.x and above with Samba 2.2
End of list.
FreeBSD will incorporate such coding once it has been written, other
platforms may need a bit more prodding from their user base before
going the same
way. Jeremy Allison worked for SGI then, which is one reason why
their
IRIX is so Samba-friendly. Apparently it took a kernel engineer
there
around two weeks to implement this support in IRIX. Do not bother
disabling Kernel Oplocks in your config - if they do not work on your
platform
then './configure' will turn them off at compile time.
The message oplock_break: no break received from client within
30 seconds. can apparently have two possible causes:
- Some general networking problem (hardware?)
- The default value oplock break wait time = 10 may be too
low. Consider setting it to 100.
Using Samba , section 5.5 covers this whole
area in more detail.
This area of Samba (oplocks) only really stabilised at around level
2.0.5 (and again at 2.2.2!), if something does not work and you have an
older version,
consider upgrading.
Samba "as is" is sometimes too slow. This can be caused by its own
configuration being less than optimal, or it can be caused by its
partner's configuration. According to the document 'Speed.txt' (updated
for 2.2.0), Samba should operate
at around the same speed as ftp and should be faster than NFS.
Some of the following discussion applies only to 1.9.18 levels, a lot
of effort went into speeding 2.x.x levels up.
Ways of speeding the partner up
- Kill Protocols IPX/SPX and NetBEUI (everything apart from TCP/IP)
- Kill the NetWare Client Service
- If the client is Win98 and you are using a pre-1.9.18p10 Samba
version, add the line
#define NO_FSYNC 1
to local.h and recompile. Samba 1.9.18p10 and above have the 'strict
sync' parameter which defaults to 'no' and fixes this particular Win98
issue.
Ways of speeding Samba up
- OPLOCKS - See the section on this feature for
details.
Consider using 'veto oplock files' (same section above) for your
Database files if kernel oplocks are not
available on your platform.
- Socket options are not the same on all systems so Samba does not
set many by default. Ones you should consider are:
| TCP_NODELAY |
(still the most important one, should be on by default) |
| IPTOS_THROUGHPUT |
(is ignored under some early Linux 2.2 kernels) |
| SO_RCVBUF=4096 |
|
| SO_SNDBUF=4096 |
|
| however, IPTOS_LOWDELAY |
should apparently not be used |
If Samba does not like any of your options, you will see messages in
smb.log
- Older versions set 'strict locking = yes' as a default, this
slows
things down.
- Setting 'read prediction = yes' speeds things up when reading
read-only files, this only applies to 1.x.yy levels - the parameter is
obsolete under Samba version 2.x
- Long delays while logging on are wins/DNS/Password Validation
problems, set 'debug = 2' and look at the logs for the third case.
- Setting 'debug' to 3 or more slows things down a lot.
Full/Half Duplex
Ethernet Switches can handle Full-Duplex mode, Hubs can not.
Bearing that in mind, I came across a
wonderful article in a Newsgroup a couple of years ago which looks
very convincing and is
reproduced verbatim. It is now out of date with respect to
Ethernet
Switches (as opposed to Hubs).
If you feel that Samba is disastrously slow and none of the above
helps, you will have to do some experimenting. Try uploading and
downloading a
large file between the Samba server and the client using Samba and ftp.
The possibilities are:
- ftp is faster than Samba - the stuff above should have helped then
- both run at a similar speed (often this means: fast in one
direction, slow in the other)
This obviously takes us outside Samba and is usually a full/half-duplex
or 10/100-speed problem.
All NICs *and* the hub have to have the same speed and duplex settings.
Large Directories
There is another problem with all levels of Samba when it comes to
accessing large (several thousand files) directories on a client.
Under all
Windoze versions, file 'Funnyname.txt' is the same as 'FUNNYNAME.TXT';
Under
Unix they are not. This means that Samba has to 'mangle'
filenames
internally in order to create the illusion of compatibility.
There
are two problems with this:
- No mangling algorithm is perfect, sometimes names are considered
identical when they should not be.
- This takes T-I-M-E and processor power when a lot of files are
involved.
There are two possible workarounds here:
- The ReiserFS (Linux) is more efficient for large numbers of small
files
- Change the Samba settings to force all filenames to uppercase.
Most of this came from 'Speed.txt' and 'Speed2.txt'
, they have more. Other stuff in this section has been culled from the Newsgroups .
The section in Using Samba that covers this
is B.2.
A web-site has been created to
hold Linux optimisation tips, Samba is also handled.
These problems are normally outside Samba altogether, the usual
candidates are the general TCP/IP setup and (less often) Windoze.
The default name-resolution order ('name resolve order =' in [global])
is: lmhosts host wins bcast, this is documented in the
sample
config . If these steps are badly configured, the daemon is liable
to
hang up until something times out.
Taking 'hosts', the first line in hosts should be:
127.0.0.1 localhost localhost.localdomain
It is also vitally important to have your own host-name and
IP-address in this file. When I was using the then newest version of
RedHat (5.0 ?)
in early spring 1998, it would actually hang for 60 seconds while
booting
if the own-host line was not the second host in /etc/hosts but that
level
was the reason I originally switched to SuSE.
Test this with 'ping localhost' and a ping of your own Samba
server's
name.
External DNS / WINS servers reportedly also seem to need the
localhost line at the front.
If you are lucky, the Samba Server will simply appear in your 'Network
Neighborhood' and you can (passwords / encryption permitting) simply
browse it. If you are asked for IPC$'s password see
above then your problem is probably encryption. This section deals
with the case where a Samba server does not appear at all, 'Map Network
Drive' will probably not
work either. This is a large area so I am only describing my own
experiences here.
Using Samba, section 5.1 covers this whole
area in more detail.
Each subnet needs a local master browser and elections are held within
the subnet to determine which machine should fulfil this
function. Primary
or Backup Domain Controllers (PDCs or BDCs) expect to win such
elections which
are held via Broadcasts.
Three parameters influence this behaviour under Samba.
- local master
This defaults to yes which means that this machine will participate in
elections. Saying 'no' saves time if you do not want to be a Master
Browser
- os level
This is in the range 0 to 255 and defaults to zero (Samba 1.x) and 20
(Samba 2.x.x).
- WfWg and Win95 machines run at 1
- Win98 machines run at 2
- WinME? Maybe 3 (if someone tells me, I'll update this
line and the entry for Win2k)
- NT 3.51 Workstations run at 16 and Servers at 32
- NT 4 Workstations run at 17 and Servers at 33
- At a guess, Win2k workstations run at 18 and servers at 34
- no idea with XP or Vista.
10 used to be a reasonable value but as Samba develops, higher values
are starting to make sense. I do not know enough to make authoratitive
suggestions here. Since the default is now 20, I assume this is
for a good reason.
- preferred master
This defaults to no, if it is set to yes then a Samba Server will force
an election when it starts up.
Continuing from the previous section, the SMB protocol wants to see a
BDC - at least - on every subnet. Setting 'domain master =
yes'
means that the machine will attempt to be the domain master browser for
the subnet. The 'os level' and 'preferred master' parameters will also
influence
this behaviour.
The recommended method uses WINS, this needs a 'wins server'
(surprise), which can (and probably should) also be the 'domain
master browser' for the whole workgroup. This is not an office
you can be elected
to, you have to be appointed. The local master browsers have to
know
where the domain master browser is. If there is a PDC in the
network,
this must be the domain master browser.
If this parameter is set, a WINS server has to be around somewhere.
Set 'wins support = yes' on the WINS server and 'wins server =
name-or-address' on the other machines. Do not set both on one machine.
The 'remote browse sync = name-or-address name-or-addr . . .'
statement can also be used. This allows you to announce yourself to
browse masters
on other subnets, those browse masters must be running Samba.
You may well have read that Win2K will no longer support WINS.
This is apparently an option that can be set in networks where only
Win2K is running.
This area was updated for 2.2.0 with new functionality. Look at the
Samba-HOWTO-Collection.html doc for more on this.
If you get strange errors ('unknown error' is a give-away) while
printing, or it simply does not work and everything else is ok, check
the permissions on the directory pointed to by 'path = ' in [printers].
I set them to 1777 which is may be overdoing things but does at least
work. I have suggested this to a number of people with printing
difficulties and it was once a
very common problem, judging from the feedback.
The 1777 bit on the left is the 'sticky bit', it means that
users can only delete files belonging to themselves.
The user-account 'nobody' (the default guest-id) is not capable of
printing on a lot of systems. If nobody's uid or gid are negative
(or >
32767) on your system, you need another guest account.
I used to have a problem with a blank page being printed after every
print job, various fixes did not seem to work for me. Now I use CUPS,
this particular problem is dead.
The 'no resources' message that sometimes comes can be a timing
problem with NT - the WfWg client does not wait long enough (or NT
takes too long). Check the 'WinNT' doc on the Samba server for this
one.
Printing appears to have been broken for 1.9.18p10 for pre-Win95
clients - specifically WfW 3.11.
If you want to print to a SMB printer, try 'man smbspool'.
This
document came with 2.0.6 (I think).
There are two different problems affecting some Samba 2.0.x levels
below 2.0.5 under Linux:
- 'printing = bsd' should be the default, but it is sometimes not.
If you are using 'cups' (I do) then it is 'printing = cups' which
also needs 'printcap name = cups'.
- The 'print command' default is sometimes not what it should be
There is also a 'Printing'
doc with several other tips.
The setup I use is one where the Windoze clients print via Samba to
printers attached to the Samba server (physically or via TCP/IP).
If you want to go the other way and print to printers attached to your
Windoze clients, Section 7.2 in Using Samba
is your friend.
Unix text-file lines are terminated by 0A (LF)
MS text-file lines are terminated by 0D 0A (CR LF)
Samba does not do and will not do any conversion of these files at
all. There are a number of conversion utilities on both platforms,
these will
have to be used. Samba 2.0.4 introduced a new document saying this, it vanished again in
version
2.2.0.
I saw a Perl-script recently that purported to do the conversion, so if
you have access to Perl try:
# cat file.unix | perl -e 'while (<>) {$_ =~s/$/\015/;
print$_}' > file.dos
.
This discussion applies to Linux and does not really have a lot do with
Samba.
In 2.0.33 or so, the kernel added international support for
filenames
- a file can now be called /home/user_dir/Ätherische-Öle.wpd(be
warned - that name may look different for you) without upsetting
anyone unduly. This was apparently written for FAT/VFAT
structures on Diskettes and Dual-Boot machines, and for Joliet (CD-Rom)
filesystems. Samba
also benefited from this feature.
Using 'make menuconfig', go into 'Filesystems' and set 'Native
Language Support' along with the necessary Codepages and NLS entries.
I am in Germany and have added the Codepages 437 (US) and 850 as
modules, along with NLS ISO 8859-1. If you want to know what each
option means, you have to enter a '?' against it - this is extremely
boring when there are around 20 entries.
With the 2.2 and 2.4 kernels, 'Native Language Support' is now an extra
section. NLS ISO 8859-15 has been introduced in these versions -
it supports the Euro.
The default for the Samba global option 'client code page' is 850,
the appropriate 'character set' for this is ISO8859-1 which is not
the default. Experimenting with 'character set' can result in
duplicate filenames - the sacrifices we make for science . . .
Recent Samba and Linux versions should work fine here, Urban Widmark
has
taken over development of smbmount/smbfs in the Linux Kernel.
SAMBA normally creates files and directories with the 0744
permission-bits set, unless the DOS Read-Only attribute is set.
This behaviour can be overwritten in the respective [service]
sections with the following parameters:
| Parameter |
Synonym |
Effect |
Default |
| create mask = nnnn |
create mode |
is ANDed with the permission bits |
0744 |
| force create mode = nnnn |
-
|
is ORred with the permission bits |
0000 |
| directory mask = nnnn |
directory mode |
is ANDed with the permission bits |
0744 |
| force directory mode = nnnn |
-
|
is ORred with the permission bits |
0000 |
The following 4 parameters came with 2.0.5 and are for NT ACL
support, they default to their colleagues in the table above:
- security mask
- force security mode
- directory security mask
- force directory security mode
Samba 2.0.7 added 'inherit permissions', if this is set then new
files/directories inherit the permissions of their parent directory.
The 'delete readonly', 'alternate permissions', 'map archive', 'map
hidden' and 'map system' are related commands. If you really feel
the need
(I don't), look them up.
Using Samba, section 5.3 covers this whole
area in more detail.
Not all filesystems could safely be updated under Linux. In particular,
updating NTFS was long consided extremely dangerous until (I believe)
the ntfs-3g stuff came out in early 2007.
If (for instance) you want to make your ZIP-Drive user-writeable, this
normally only works if it is formatted as some Linux filesystem like
EXT2/3/4, Reiser, XFS etc. There is a way around this - the drive must
be mounted with some special options, look at the parameters umask=,
uid= and gid=. As an example:
mount -t vfat /dev/sda4 /zip -o defaults,gid=101,umask=007
or (in fstab)
/dev/sda4 /zip vfat defaults,gid=101,umask=007 0 0
mounts the drive under Linux as fat16/fat32 with long filenames, the
group-id is 101 and the permissions are (0)770. umask bits are 'denial
bits' - the bits that are set act to deny the corresponding
permissions. If umask=000 then everyone can do everything with
files on the drive - the permissions are then (0)777. This does not
really have a lot to do with Samba but it
is a typical problem that people who use both filesystems face.
While in this general area, I have 'DOS FAT fs support' and 'VFAT
(Windows-95) fs support' enabled in the kernel; 'MSDOS fs support' is
disabled. The reason for this is that while VFAT also supports MSDOS
partitions/diskettes/drives, updating vfat partitions/diskettes/drives
as MSDOS screws up non-8.3 filenames. (No idea about this in 2007, the standard
SuSE/Novell kernels work out of the box).
The Samba documentation makes clear in various places that the numeric
uid (or gid) should not be -1 - this opens a nasty security hole that
allows users to obtain 'root' privileges under certain circumstances
and also makes printing impossible.
Nothing is said about a value of -2, but the 2.0.x smbpasswd processor
gets quite nasty about any negative values. These include values
above 32767.
All this is relevant to guest accounts because Samba's default guest
account is 'nobody' and this userid is set up with a negative gid/uid
on a lot of systems.
My advice is: use another guest such as 'ftp' - a guest with virtually
no rights.
You can set the guest's shell to /bin/false for more security if you
wish. With 'null passwords' set, this is not a bad idea.
I am currently experimenting with
map to guest = Bad User
Which points unknown userids to the guest-userid. This parameter was
introduced with Samba 2.0.0 and replaced the old compile-option:
GUEST-SESSSETUP.
Look at the 'autoreply' doc on the server.
This is actually a very interesting document with a lot of other tips,
some of them duplicated and some of them outdated. The outdated
points I noticed are:
- The first point mentioned in the next subsection here
- The GUEST_SESSION_SETUP stuff in 'Using NT to Browse Samba Shares
(the 'map to guest' line is used with 2.x.x levels)
- Both the 'Domain Controller' and 'NetWkstaUserLogon' suggest
using
the 'networkstation user logon' line. It became obsolete with
1.9.18p8
(but was accidentally left as true in that level) and can be
disregarded
for all subsequent levels.
- Win NT cannot execute 16-bit executables (typically: setup.exe)
if
any part of the path is not 8.3 compliant. This problem also occurs
with
drives exported from Win9x machines, but was solved/fixed with Samba
release
2.0.3.
- The Samba bugs-faq does not know about the above fix, other
errors
in the bugs-faq are listed in the previous section.
- Some SuSE 6.1 users reported that Samba wanted to use the
localhost
net interface instead of the real one. I had a problem that could
have
been that and solved it by using the 'interfaces = ' line.
Samba 2.0.6 and above detect interfaces dynamically so this should no
longer be an issue.
- 'PANIC failed to set gid'
This bug appears to bite when a 2.0.xx kernel is used with glibc2.1.x,
it was fixed in Samba 2.0.7.
- 'File table overflow' (Linux 2.0.xx kernels)
increase the value in /proc/sys/kernel/file-max
- smbmount has a problem with directory information - look at the
end
of this section .
- The SMB Protocol considers the largest size of a share to be
4GB. All this means is that clients will report a maximum of 4GB
as being available on the server, in fact you can use all the space
physically available.
An unrelated problem is: The EXT2 filesystem used by Linux had a
maximum file size of 2GB, a problem that was finally fixed with the 2.4
series of kernels.
- Take another look at the Documentation
that comes with Samba
- Look at the logfiles. The general ones that show how Samba is
feeling are: log.nmbd and log.smbd. The directory containing them is
specified at compile-time, likely candidates are: /var/log and
/usr/local/samba/var
The other logfiles are found where you told Samba to put them. I use
the line: 'log file = /var/log/samba-log.%I' or 'log file = /dev/tty12'
and
always look there for problems relating to any particular client.
A good level for starters is 'debug level = 2', it is in my example config Only use higher levels if you really
need to, from 2.0.6 you can use 'debug uid', 'debug pid' and some other
'debug' options to add more information to the log files - rtfm.
- Maybe others have had the same problem, look at the Newsgroups.
- Samba is an implementation of Windoze networking - an amorphous
and
ill-defined area - on a large number of different levels of different
Unix
variations. It is tested under only some of these. When (for example)
Red
Hat 6.0 used a new Glibc, something broke. Do not be surprised if
some
of the more arcane new features do not work completely at first.
If
you are unsure, allow some time before installing a new level -
particularly
in a production environment.
- Section 9 of Using Samba.
Samba servers can join NT domains as members, they can also actually
act as Primary Domain Controllers. Afaik, this did not work for
Samba
levels below 2.2.0 withWin2k. A large advantage of the domain
concept
is that one you have authenticated yourself, you can access all shares
in
the domain.
Look at the DOMAIN_MEMBER.html document that comes with Samba.
One here problem is, once you configure your linux box to join a
domain, it starts advertising that it provides authentication services.
When the
NT PDC is rebooted, it first checks to see if any boxes on the windows
network are offering authentication services, and if one is, it assumes
that box
must already be the PDC and refuses to step into that role.
This problem is documented in the files gotchas.txt that comes with the
samba package.
As of level 2.2.0, there are two perfectly good docs called samba-PDC-HOWTO.html
(but not Samba-pdc-howto.html!!) and samba-pdc-faq.html dealing
with this. They come with Samba. Read them.
These have been written for SuSE Linux and bash. I keep mine in
/root/bin and have their permissions set to 0700. If you use
them, you do so for your own convenience and at your own risk.
I
have left the first one here because it is of general interest, the
other
one has been farmed out .
#! /bin/sh
#
# Kill and restart Samba
#
echo -n "Shutting down Samba: "
killproc -TERM /usr/sbin/nmbd
killproc -TERM /usr/sbin/smbd
echo
echo -n "Hit XMIT to delete logs and restart"
read
rm /var/log/samba-log.*
rm /var/log/log.?mb?
echo -n "Restarting Samba "
/usr/sbin/nmbd -D
/usr/sbin/smbd -D
echo " done"
As you will see, it also kills the log files left by the previous
version. You will probably have to change some names because your
Samba executables and log files are likely to be somewhere else.
The 2 lines:
echo -n "Hit XMIT to delete logs and restart"
and read
are there because I sometimes want to change something while Samba is
down.
For UNIXes/Linux distributions without killproc (Caldera seems to be
an example), take a look at killall. I am told that killall kills
*all* processes under Solaris (this seems rather insane), so take a
*very*good* look at it before you use it.
Another way of restarting Samba is to issue the two commands:
killall -HUP smbd
killall -HUP nmbd
Obviously, no logfiles are deleted here. Thank you Michael Maclean for
this one.
This Perl script runs after make
install or make installman and is needed for each new
release. It may well produce some error-messages when it is
trying to delete previous versions of the man-pages, especially if they
have already been deleted.
Some general security tips. This section is not to be considered
exhaustive.
- Use encrypted passwords
This helps prevent 'sniffing' of passwords and allows you to give Samba
access to a subset of your /etc/passwd users.
Even this is not perfect, there is apparently a hack to always get an
unencrypted password.
- protect your smbpasswd file. I have it as
/etc/private/smbpasswd, the directory's rights are 0500 and the file
itself is 0600 (owner root). MS Password encryption is pretty
primitive and easily cracked - especially for Win9x/ME - so the
smbpasswd file needs to be inaccessible.
- If you do not use encrypted passwords, consider using 'invalid
users' for accounts such as root or the daemons on shares you consider
critical
- A lot of Samba administrators like to synchronise their
/etc/passwd
passwords with their smbpasswd passwords. I disagree - most of my
users
have no shell access-rights to the server, their passwords are set to
'*'
in /etc/passwd (or /etc/shadow).
- 'nobody' is the default guest-account, consider changing
it. Reasons above.
- If your server has two (or more) NICs and Samba should only be
visible on one (or some) of them, use the lines
- interfaces = ip-addr-of-nic/mask-bits 127.0.0.1/8
- bind interfaces only = true
- If you use 'username map', protect the file. Ability to
update that file would be a major security hole. The same applies
(obviously) to smb.conf
- 'admin users' allows you to give users 'root' privileges.
Avoid this like the plague in a non-private network, and do not
complain if someone kills your machine when you use it.
- I protect SWAT with TCP Wrappers. Look above for this.
- smbmount should not have the suid-bit set.
Go back to the top