# Samba Notes

## Installing Samba

On CentOS, issue the following:

yum install samba samba-client

You can see all the files installed using rpm -qd. The chief one is /etc/samba/smb.conf

## Creating a Samba users

useradd -g sambausersgroup sambauser
passwd sambauser


smbpasswd -a sambauser


The two passwords can (obviously) be different. You may get an error along the lines of:

account_policy_get: tdb_fetch_uint32 failed for field <integer>


From what I could learn, this is ’normal’ for the first time smbpasswd is run and should not appear the next time.

## Setting up smb.conf

Make sure you have at least these lines under [Global] (adapt to your specific case):

workgroup = HOME
server string = IT Support - Samba Version %v
netbios name = HOME Support System

security = user
passdb backend = tdbsam


At the least, make sure that the encrypt passwords option is set to yes. Although I will restrict access with IPTables, smb.conf itself allows you to restrict access to resources on a share-by-share basis.

In this example, I will create two shares: one read-only and another read/write for sambauser created before.

[The Read-Only Share]
comment = This is a test read-only share
browseable = yes
guest ok = no
writable = no
valid users = sambauser

comment = sambauser can read and write to this share
browseable = Yes
guest ok = No
writeable = Yes
write list = sambauser
valid users = sambauser


Important: Linux system permissions take precedence over Samba permissions. For example if a directory does not have Linux write permission, setting samba writeable = Yes will not allow to write to shared directory / share.

### Verify the correctness of smb.conf

Issue testparm and you should see something like:

[root@localhost ~]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[IPC$]" WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC\$ is flagged unavailable.
Processing section "[Tech Shed]"
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions


Hitting enter will dump your share definitions.

### Configure IPTables

The relevant ports are UDP (137, 138) and TCP (139, 445). Here’s a sample

iptables -A INPUT -p udp -m multiport --dport 137,138 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 139,445 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


## Starting and monitoring Samba

service smb start


If you’ve changed your smb.conf file and only want to reload new/modified shares:

service smb reload


This starts smbd (the Samba daemon) and nmbd (the NetBIOS nameserver). You can check if Samba is listening to the correct ports by issuing netstat -tulpn.

### Log files

Default log files are /var/log/samba/{smbd.log, nmbd.log}. These may help troubleshoot any issues with startup or share connectivity.

### Connecting to a share

Get a listing of the shares on a host using smbclient (installed as the package samba-client)

smbclient -L "//hostname.example.com" -U sambauser


Mount a share using mount as follows:

mount -t cifs -o user=sambauser "//hostname.example.com/My Uploads" /mnt/uploads


You can add this to your /etc/fstab too!

### Listing open files

Simply issue smbstatus to see all mounted shares. Here’s some sample output:

Samba version 3.0.33-3.15.el5_4.1
-------------------------------------------------------------------
26197   support       support       dhcpw80ff9676 (19.67.90.10)

Service      pid     machine       Connected at
-------------------------------------------------------
Tech Shed    26197   dhcpw80ff9676  Mon Apr 26 08:38:59 2010

Locked files:
Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
26197        501        DENY_NONE  0x100001    RDONLY     NONE             /media/techshed   .   Mon Apr 26 08:39:07 2010


## Common Issues

From what I’ve experienced and read, adding your hostname to /etc/hosts either speeds up or solves many issues with smbd.

A more egregious problem was with my IPTables config. Samba tries to access port 631 even though I set load printers to no in my config above. Since my IPTables blocking any unnecessary outputs as well, this led to a point where issuing service smb restart would cause the system to stall at:

Starting SMB Services


I could start nmbd manually by issuing nmbd -D. When I opened up another terminal and checked the status of the SMB daemon, it was listed as running even though it was stalled at “Starting…” in the previous terminal!

I solved this after much psychological torture by adding these lines to smb.conf:

show add printer wizard = no
printing = none
printcap name = /dev/null
disable spoolss = yes


### Issues with PoPToP

The problem with trying to access an SMB share through a PPTP tunnel is elaborated here. This is what I added to make things work (to smb.conf)

domain master = yes
domain logons = yes


## Integrating OpenDirectory with Samba

### On OpenDirectory Master (10.4 Server)

• Enable, start the Windows service

• Make it a PDC (Primary Domain Controller) instead of Standalone Server

• Then entered this in Settings > General

Description   : OpenDirectory Master
Computer Name : directory
Domain        : HOME

• Under Settings > Access, uncheck LAN Manager (used for W95 support, insecure)

• In firewall, enable ports 137, 138, 139 and 445

### On Linux Box

Use authconfig-tui to configure with LDAP. Make sure you check the “Use LDAP” and “Use LDAP Authentication” boxes. Type in the name of the server and the search base. This effectively makes changes to /etc/nsswitch.conf and /etc/pam.d/system-auth. You know when the LDAP lookups are working when your server can pull directory information like this:

[root@tiner etc]# id nanand


I then added this to smb.conf ("testuser" is the group I’d like to restrict access to.)

workgroup = HOME
security = domain

[public]
comment = Test Share
path = /home/support
public = yes
writable = yes
valid users = @testuser
force group = @HOME\testuser


Then set valid permissions on the folder you’ve shared

chown -R nobody:testuser /home/support


Then join the Samba box to the domain.

[root@tiner home]# net join -S directory -U diradmin