Samba Notes

Installing Samba

On CentOS, issue the following:

yum install samba samba-client

You can see all the files installed using rpm -qd. The chief one is
/etc/samba/smb.conf

Creating a Samba users

Much like adding users to NIS, you need to add a user the Linux way and
tell samba about this user.

useradd -g sambausersgroup sambauser  
passwd sambauser

Then tell Samba about this user:

smbpasswd -a sambauser

The two passwords can (obviously) be different. You may get an error
along the lines of:

account_policy_get: tdb_fetch_uint32 failed for field <integer>

From what I could learn, this is ’normal’ for the first time smbpasswd
is run and should not appear the next time.

Setting up smb.conf

Make sure you have at least these lines under [Global] (adapt to your
specific case):

workgroup = HOME  
server string = IT Support - Samba Version %v  
netbios name = HOME Support System  
  
security = user  
passdb backend = tdbsam  
encrypt passwords = yes  
load printers = no

At the least, make sure that the encrypt passwords option is set to
yes. Although I will restrict access with IPTables, smb.conf itself
allows you to restrict access to resources on a share-by-share basis.

Adding a share

In this example, I will create two shares: one read-only and another
read/write for sambauser created before.

[The Read-Only Share]  
      comment = This is a test read-only share  
      path = /home/sambauser/testreadshare  
      browseable = yes   
      guest ok = no  
      writable = no  
      valid users = sambauser

[The Read/Write Share]  
      comment = sambauser can read and write to this share   
      path = /media/uploads  
      browseable = Yes  
      guest ok = No  
      writeable = Yes  
      write list = sambauser  
      valid users = sambauser

Important: Linux system permissions take precedence over
Samba permissions. For example if a directory does not have Linux write
permission, setting samba writeable = Yes will not allow to write to
shared directory / share.

Verify the correctness of smb.conf

Issue testparm and you should see something like:

[root@localhost ~]# testparm  
Load smb config files from /etc/samba/smb.conf  
Processing section "[IPC$]"  
WARNING: No path in service IPC$ - making it unavailable!  
NOTE: Service IPC$ is flagged unavailable.  
Processing section "[Tech Shed]"  
Loaded services file OK.  
Server role: ROLE_STANDALONE  
Press enter to see a dump of your service definitions

Hitting enter will dump your share definitions.

Configure IPTables

The relevant ports are UDP (137, 138) and TCP (139, 445). Here’s a
sample

iptables -A INPUT -p udp -m multiport --dport 137,138 -m state --state NEW -j ACCEPT  
iptables -A INPUT -p tcp -m multiport --dport 139,445 -m state --state NEW -j ACCEPT  
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Starting and monitoring Samba

service smb start

If you’ve changed your smb.conf file and only want to reload
new/modified shares:

service smb reload

This starts smbd (the Samba daemon) and nmbd (the NetBIOS
nameserver). You can check if Samba is listening to the correct ports by
issuing netstat -tulpn.

Log files

Default log files are /var/log/samba/{smbd.log, nmbd.log}. These may
help troubleshoot any issues with startup or share connectivity.

Connecting to a share

Get a listing of the shares on a host using smbclient (installed as
the package samba-client)

smbclient -L "//hostname.example.com" -U sambauser

Mount a share using mount as follows:

mount -t cifs -o user=sambauser "//hostname.example.com/My Uploads" /mnt/uploads

You can add this to your /etc/fstab too!

Listing open files

Simply issue smbstatus to see all mounted shares. Here’s some sample
output:

Samba version 3.0.33-3.15.el5_4.1  
PID     Username      Group         Machine                          
-------------------------------------------------------------------  
26197   support       support       dhcpw80ff9676 (19.67.90.10)  
  
Service      pid     machine       Connected at  
-------------------------------------------------------  
Tech Shed    26197   dhcpw80ff9676  Mon Apr 26 08:38:59 2010  
  
Locked files:  
Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time  
--------------------------------------------------------------------------------------------------  
26197        501        DENY_NONE  0x100001    RDONLY     NONE             /media/techshed   .   Mon Apr 26 08:39:07 2010

Common Issues

From what I’ve experienced and read, adding your hostname to
/etc/hosts either speeds up or solves many issues with smbd.

A more egregious problem was with my IPTables config. Samba tries to
access port 631 even though I set load printers to no in my config
above. Since my IPTables blocking any unnecessary outputs as well, this
led to a point where issuing service smb restart would cause the
system to stall at:

Starting SMB Services

I could start nmbd manually by issuing nmbd -D. When I opened up
another terminal and checked the status of the SMB daemon, it was listed
as running even though it was stalled at “Starting…” in the previous
terminal!

I solved this after much psychological torture by adding these lines to
smb.conf:

show add printer wizard = no  
printing = none  
printcap name = /dev/null  
disable spoolss = yes

Issues with PoPToP

The problem with trying to access an SMB share through a PPTP tunnel is
elaborated here.
This is what I added to make things work (to smb.conf)

domain master = yes  
domain logons = yes

Integrating OpenDirectory with Samba

On OpenDirectory Master (10.4 Server)

• Enable, start the Windows service

• Make it a PDC (Primary Domain Controller) instead of Standalone
  Server

• Then entered this in Settings > General

  Description   : OpenDirectory Master  
  Computer Name : directory  
  Domain        : HOME
  

• Under Settings > Access, uncheck LAN Manager (used for W95
  support, insecure)

• In firewall, enable ports 137, 138, 139 and 445

On Linux Box

Use authconfig-tui to configure with LDAP. Make sure you check the
“Use LDAP” and “Use LDAP Authentication” boxes. Type in the name of the
server and the search base. This effectively makes changes to
/etc/nsswitch.conf and /etc/pam.d/system-auth. You know when the
LDAP lookups are working when your server can pull directory information
like this:

[root@tiner etc]# id nanand  
uid=40010(nanand) gid=20(games) groups=20(games),80(admin),1026(sheffield)

I then added this to smb.conf ("testuser" is the group I’d like to
restrict access to.)

workgroup = HOME  
security = domain  
encrypt passwords = yes  
password server = directory  
  
[public]  
comment = Test Share  
path = /home/support  
public = yes  
writable = yes  
valid users = @testuser  
force group = @HOME\testuser

Then set valid permissions on the folder you’ve shared

chown -R nobody:testuser /home/support

Then join the Samba box to the domain.

[root@tiner home]# net join -S directory -U diradmin  
Password:  
Joined domain HOME.  
[root@tiner home]# service smb restart

Test and enjoy.