Linux Home Server HOWTO
Home Next

Chapter 18 - Samba

Version: - samba 3.0.22

Setting Global Options
Creating User Accounts
Sharing Network Directories
Adding Network Printers
The Microsoft Client
The Samba Client

Samba is a suite of opensource applications that support the Server Message Block (SMB) and Common Internet File System (CIFS) protocols used by Microsoft operating systems. This allows the Samba applications to interface into Microsoft networks to provide interoperability across normally different networking systems.

The biggest advantage of Samba is its ability to be configured as a Windows NT style domain controller/server allowing it to be used as a central server for many Microsoft based workstations. All of the printing resources, share permissions, and user account details can be maintained by the Linux Samba server. This provides a cost effective server system that can be deployed into many small, medium, or even large networking environments. Samba is also able to operate its own Windows Internet Naming Service (WINS) to provide full NetBIOS naming resolution.

Samba provides many configurable capabilities for many different deployment options, however being a home server guide, this chapter will provide only the requirements to establish a standalone server which is suitable for a small peer-to-peer network. The guide will provide the examples necessary to allow Samba to maintain all the files, share, and resource permissions for the connecting workstations.

The chapter will not cover advanced options for interfacing with any real Windows Domain or Active Directory Servers.

Setting Global Options

The configuration file for Samba is relatively easy to interpret as there are ample comments throughout the file for guidance. There are also some very well documented man pages available to further assist with your configuration requirements.

The main Samba configuration file should be backed up before any settings are changed, so we can at least restore a good file when problems occur.

[bash]# cp /etc/samba/smb.conf /etc/samba/smb.conf.original
[bash]# vi /etc/samba/smb.conf

The configuration file really only has one main section. The [global] section and its directives provide all the options and parameters required for the Samba daemon (smbd) and NetBIOS daemon (nmbd) to operate within the network. This (in a nutshell) is how your server will operate and be seen on the network.

All other sections of the smb.conf file which are specified with square brackets "[something]", is start of a share definition and contain all of the options and parameters that pertain only to the resource that is being shared. Any directives that are specified within a share will override any directives that are specified in the global section.

The following directives define the start of the global configuration options and more importantly, provides the options that identify the server on the network, they are the names for your networking environment.

   workgroup = WORKGROUP
   netbios name = GALAXY
   server string = Samba Server

These directives are networking orientated and define which networking interfaces to operate on and which subnetworks are allowed to connect to your server. These are important to specify so the server it protected from any possible connections that are attempted from the external network.

   interfaces = eth1 lo
   hosts allow = 192.168.1.
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

You should specify a log file for the server. Here the "%m.log" definition means that each workstation connecting to the server will have its own log file.

   log file = /var/log/samba/%m.log
   max log size = 50

Some windows clients before Windows 98 and Windows NT (SP3) do not support encrypted passwords, you may need to adjust this if you are using very old Microsoft clients.

Samba will store passwords in encrypted format by default.

   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd

The following options detail how your Samba server will behave on your network.

The "security" directive determines whether the server will function as a Windows Domain Controller or as a simple standalone server for a peer-to-peer system, the "user" option is the default mode.

The "wins support" option tells the server to run its own WINS server for name resolution, this is typical of many Microsoft networks. "dns proxy" is not required for a small network and can be disabled.

The remaining settings determine if the server will advertise itself as a master browser on the network, this will cause the server to participate in network browser elections and attempt to become the master browser.

   security = user
   local master = Yes
   os level = 33
   domain master = Yes
   preferred master = Yes
   wins support = Yes
   dns proxy = No

   passdb backend = smbpasswd
   passdb expand explicit = No

The mask directives determine the local file permissions for any new files or directories that are created in any of the shared resources. These global values can be overriden for each share, allowing for finer control of permissions.

   create mask = 0644
   directory mask = 0755

Note !! Using all of the above configurations, the Samba server will now be configured to run on the appropriate network and can be seen from your Windows based clients, however no network shares or user access has been granted yet.

Samba provides a small test application that reads the configuration file and tests it for any errors, this ensures that the new configuration should be excepted by the server. Any errors should be fixed before restarting the server and loading the faulty configuration.

The following testparm output is from a configuration file that contains only the [global] section (as per all of the above settings), no other share sections have yet been defined.

[bash]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Press enter to see a dump of your service definitions

The appropriate runlevels that the service will operate at can now be set and checked.

[bash]# chkconfig --level 345 smb on
[bash]# chkconfig --list smb

All of the global section options have now been specified for your configuration and the server can now be started. Be sure to check all the log files to ensure the server started cleanly and there are no errors.

[bash]# /etc/init.d/smb restart
[bash]# tail -n 50 /var/log/messages
[bash]# cat /var/log/samba/smbd.log
[bash]# cat /var/log/samba/nmbd.log

Note !! If any of the server's networking parameters have been adjusted, it may take a few minutes before the server can be seen from the Windows client after restarting the smb service.

Both of the smbd and nmbd daemons are started by the initscripts. Any command line options that need to be specified for the daemons can be listed in the "/etc/sysconfig/samba" file.

[bash]# vi /etc/sysconfig/samba

The following list of man pages can provide further information to assist with configuration or debugging requirements.

Man Pages:

Resolving Hostnames

If the Samba server was configured to provide WINS support ("wins support = Yes"), then the WINS server is able to provide name resolution for all of the hosts that are not listed in the /etc/hosts file or within the DNS.

[bash]# vi /etc/nsswitch.conf
hosts:      files dns wins

Making this adjustment in the Name Service Switch configuration file (/etc/nsswitch.conf) allows the Linux system to query the WINS server for local name resolution. This saves manual adjustments to host files.

Creating User Accounts

Before the Samba server can be accessed across the network, access must be granted to users and any shared resources which are going to be provided by the server. Basically, for a user to be granted access to the server they need to have a valid UNIX account and a separate Samba password which is stored in the "smb password file", so infact a users password for their UNIX account may be different to their Samba account.

In the following example a UNIX account is being created for Alice. It details her full name (-c), her home directory (-d) and prevents her from logging into the Linux server by allocating her a false shell (-s). This account type will only allow Alice to access the server via the Samba network. This entry is located in the /etc/passwd file.

[bash]# useradd -c "Alice Jones" -d /home/alice -s /sbin/nologin alice

Alice now needs to be allocated a password for accessing the Samba server. Remember, this is a separate password to her UNIX account any may be different if necessary.

[bash]# smbpasswd -a alice
New SMB password:
Retype new SMB password:
Added user alice.

The above command adds (-a) an entry into the "smb password file" and encrypts the password. Type "smbpasswd alice" to simply change passwords.

Alice can now access the server over the network, however there are still no shares defined.

[bash]# grep alice /etc/samba/smbpasswd
alice:4732:01FC5A6BE7BC6929AAD3B435B51404EE:0CB6948805F797BF2A82807973B89537:[U          ]:LCT-41CFEFD8:

If Alice's account needs to be deleted, the following command can be used. Alternatively her account can be disabled (-d) or enabled (-e) as required.

[bash]# smbpasswd -x alice
Deleted user alice.

Mapping Different Usernames

There may be a requirement where the samba username being used to access the server does not match the same UNIX account username, or you would like to force a change between the two different account types. This can easily be done by implementing the "username map" directive into the [global] section of the main configuration file.

[bash]# vi /etc/samba/smb.conf
   username map = /etc/samba/smbusers

The username map feature is fairly simple, the file takes a UNIX account name on the left hand side and Samba account names on the right hand side (separated by "="). The username map allows those NT accounts listed on the RHS to be granted the access rights and file permissions of the UNIX account on the LHS when they connect to a resource.

In the following example:
The last example uses quotes around the NT username because there is a space separating the user's first and last names. Failure to use quotes on an NT username containing a space means that Samba will treat the user's name as two separate UNIX accounts; this will course the connections to fail.

[bash]# vi /etc/samba/smbusers
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
alice.jones = alice
readonly = glen fred terry sarah
lachlan = "Lachlan Smith"

Note !! Further details on mapping usernames can be obtained in the configuration man page, type "man smb.conf".

Sharing Network Directories

The main purpose of setting up a Samba server is to provide networked resources to your Microsoft workstations and clients, so lets set up some resources for them to connect to and use.

Shared resources are specified as sections within the /etc/samba/smb.conf file, the sections are identified by using squared brackets around each of the section names, similar to the global section.

[bash]# vi /etc/samba/smb.conf

The first share that can be configured are the home directories for all the connecting users. The [homes] section is a special configuration and Samba already knows how to handle all the users different home directories, it really only needs to be specified and Samba will do the rest.

   comment = Home Directory
   read only = No
   browseable = No
   valid users = %S

The [Shared] section that we have created below allows access to all of the files and directories within the /samba/shared local directory. The resource can be written to by all guest and public users and the resource can be viewed (browseable) by workstations and clients on the network.

Any new directory created in the share will be given the directory permissions of 777, and any new file will have file permissions of 666. These mask settings allow any user to save files to the shared directory, and any other user can read, write or delete the files.

   comment = Global Share - All Users
   path = /samba/shared
   read only = No
   guest ok = Yes
   public = Yes
   browseable = Yes
   create mask = 0666
   directory mask = 0777

The [SmallGroup] example section is not allowed to have guest or public access, but the resource can be viewed by networked workstations and clients.

Any new directory created in the share will be given the directory permissions of 777, and any new file will have file permissions of 666. The only valid user accounts that can connect to this resource are peter, paul, and mary.

   comment = Small Share - Few Users
   path = /samba/smallgroup
   read only = No
   guest ok = No
   browseable = Yes
   create mask = 0666
   directory mask = 0777
   valid users = peter, paul, mary

The [Financial] example resource can be viewed by all networked workstations and clients but is not publicly accessible. Any new directory created in the share will be given the directory permissions of 770, and any new file will have file permissions of 660.

The only valid users that are allowed to access this resource are UNIX user accounts listed in the UNIX group file (/etc/groups) called "financial". This is specified by the "@finanical" parameter.

Any file or directory that is created on the shared resource will have the (forced) group name of "financial" applied to it, this is similar to typing "chgrp financial *" at the Linux command prompt.

   comment = RESTRICTED - Financial Cell
   path = /samba/financial
   read only = No
   guest ok = No
   browseable = Yes
   create mask = 0660
   directory mask = 0770
   valid users = @financial
   force group = financial

Below is an example [FTP-Server] resource which is mapped to the root of the FTP Server (/var/ftp) running on the local Samba server. The share has been configured so it is publicly accessible to everyone on the network, but the filesystem is read only. All new files and directories will have the file permissions of 755.

The "write list" directive overrides the "read only" directive, which means in this example that the two users (john and fred) can fully manage all the files and resources like a normal share.

The "force group" and "force user" directives specify that any new files or directories will be processed as belonging to the UNIX ftp user account. This is similar to typing "chown ftp.ftp *" at the command prompt and also makes the files readily accessible by the FTP server.

   comment = READ ONLY - Corp FTP Server
   path = /var/ftp
   read only = Yes
   guest ok = Yes
   browseable = Yes
   create mask = 0755
   directory mask = 0755
   write list = john, fred
   force group = ftp
   force user = ftp

The [WEB-Server] example share is mapped to the "document root" (/var/www/html) of the Apache web server running on the local Samba server. The "browseable = No" directive tells the Samba server not to tell any networked workstations and clients that the resource is available, this requires that a connecting client must already know the resource is shared as "WEB-Server". In effect the resource is available to the valid users but is hidden from view.

The filesystem has also be marked as read only but can be fully administered by the UNIX user account called fred. All files and directories written to the networked share will be forced to belong to the root group and user accounts.

This is a fairly powerful share as the effective user (fred) will have root privileges to the filesystem located under the /var/www/html directory. It also allows fred (the local webmaster) to add or update any web pages as required.

   comment = HIDDEN - Corp Web Server
   path = /var/www/html
   read only = Yes
   guest ok = No
   browseable = No
   create mask = 0644
   directory mask = 0755
   write list = fred
   force group = root
   force user = root

Before any configuration changes are implemented, the configuration file should be tested to ensure it is free from any errors and that the new configuration will be accepted by the server. Any errors should be fixed before restarting the server and loading the faulty configuration.

[bash]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[Shared]"
Processing section "[SmallGroup]"
Processing section "[Financial]"
Processing section "[FTP-Server]"
Processing section "[WEB-Server]"
Loaded services file OK.
Press enter to see a dump of your service definitions

Still Getting "Access Denied" Errors

You may have successfully created all of your shares for the Samba server and they may all be publicly accessible to the client workstation, however you may still be getting "Access Denied" errors on your Windows workstation. This normally occurs when the underlying file and directory permissions on the Linux filesystem are not appropriate to what the user has been granted.

The [Shared] section which we declared earlier in our set up has been configured to allow full permissions for everyone to access the shared resource. For Samba to fully support the requirements here, the "/samba/shared" directory must be assigned the directory permissions of 777, the default directory permissions of 755 would not allow all world users to create new files, regardless of the two "mask" declarations.

Similary the [Financial] section is only available to valid users of the UNIX "financial" group and should therefore have the directory permissions of 770 assigned to the "/samba/financial" directory. The group allocation should also be changed with the "chgrp financial /samba/financial" command, this allows the valid users to access the resource with the finanical group permissions.

The incorrect assignment of file and directory permissions are the main reason why "Access Denied" errors occur when accessing the system with a valid user account. You should always confirm what permissions a resource is to be allocated, and ensure the "[section]" and filesystem permissions are assigned correctly.

Adding Network Printers

In chapter 15 we configured CUPS to handle our network printing requirements, but just like any other shared resource, Samba can also be configured to provide access to any locally attached printers allowing another centrally managed printing system for the remote workstations. Configuring printing shares in Samba is quite easy, but it does assume that printers have already been configured through CUPS first.

Hint !! If you would prefer your network printers to only be accessible through Samba, then CUPS should be configured so only the localhost ( has access to the printers. This way print jobs must be sent to the Samba server, which passes them onto the local CUPS server on behalf of the user.

We now need to add the printing sections into the main configuration file.

[bash]# vi /etc/samba/smb.conf

To enable Samba to process your printing requirements, the follow directives must be added under the [global] section of the configuration file. These directives only load printing support into the server, they do not share any attached printers, they still need to be declared with their own configuration section and controls.

   load printers = yes
   printing = cups
   printcap name = cups
   cups options = raw

The following [printers] section is another "built-in" configuration that is natively supported by Samba. This section automatically loads all of the attached printers and makes them all individually available from the server, so if you had three CUPS printers then the following example would make all three available to the network users.

The "admin users" directive below is allowing any user listed in the UNIX "printadmins" group to fully administer all of the network printers. It is a good idea to configure a group of printing admins, as a print job that has been scheduled by one normal user account can not be managed or deleted by another normal user account; this can cause problems if a print job has stalled the printing queue and the owner is not available to delete the faulty print job.

The "use client driver" allows non root/admin users to view the contents of the print queue on the remote server. This fixes the "Access denied, unable to connect" error that many Windows clients suffer when connecting to Samba printers.

   comment = Network Printers
   path = /var/spool/samba
   browseable = No
   public = Yes
   guest ok = Yes
   writable = No
   printable = Yes
   admin users = @printadmins
   use client driver = Yes

The following command can be used to create a UNIX "printadmins" group for administering the network printers. Users can be added into the printadmins group by using the usermod command, or by manually editing the /etc/group file.

[bash]# groupadd printadmins
[bash]# usermod -G printadmins alice
[bash]# usermod -G printadmins bob
[bash]# vi /etc/group

There may be a requirement for you to control different access restrictions to your printers, like allowing everyone access to the black and white laser printer, but restricting the colour bubblejet to only a few select users.

If different access controls are required for your printing environment, then you should remove the standard [printers] section and create a new section for each of your individual printers. This way options can be specified to suit each individual printer.

   comment = Brother HL-1430 Laser Printer
   path = /var/spool/samba
   admin users = @printadmins
   read only = No
   guest ok = Yes
   printable = Yes
   printer name = laser
   use client driver = Yes
   comment = HP PhotoSmart 7200 Series
   path = /var/spool/samba
   admin users = @printadmins
   read only = No
   valid users = mary @printadmins
   printable = Yes
   printer name = bubblejet
   use client driver = Yes

All configuration changes should be tested with the testparm command before implemention.

[bash]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[laser]"
Processing section "[bubblejet]"
Loaded services file OK.
Press enter to see a dump of your service definitions

The Microsoft Client

The server is now fully configured and operating on the network and all that is waiting now, is for the workstations and clients to connect. The Microsoft Windows clients all use a graphical network viewer for displaying the available resources on the network. This may be all that a user requires in a small office or home environment to connect and use the Samba shares, however the following MSDOS commands can be typed at the command prompt to automate any procedures.

The "net view" command provides a list of all the workstations that are grouped together in the same workgroup or domain.

C:\>net view
Server Name            Remark

\\GALAXY               Server

To see a listing of all the available resources on the Samba server, the following command can be used. The output is a listing of all the networked shares, the type of share it is, and a description that was defined in the share's "comment" parameter.

You should notice here that the WEB-Server share was configured with "browseable = No" which prevents it from being listed, however it can still be mapped by valid users (fred).

C:\>net view \\galaxy
Shared resources at \\galaxy

Share name  Type   Used as  Comment

alice       Disk            Home Directory
bubblejet   Print           Bubblejet - HP PhotoSmart-7260
Financial   Disk            RESTRICTED - Financial Cell
FTP-Server  Disk            READ ONLY - Corp FTP Server
laser       Print           Laser Printer - Brother HL-1430
Shared      Disk            Global Share - All Users
SmallGroup  Disk            Small Share - Few Users

Typing "net use" obtains a local listing of the resources that are currently mapped to the Samba server, and their drive letters which are accessible under Windows.

C:\>net use
New connections will be remembered.

Status       Local     Remote                    Network

OK           E:        \\galaxy\Financial        Microsoft Windows Network
OK           F:        \\galaxy\FTP-Server       Microsoft Windows Network
OK           G:        \\galaxy\SmallGroup       Microsoft Windows Network

To map a drive letter to a users home directory we can specify the windows %username% variable which stores the value of the currently logged in username.

C:\>net use h: \\galaxy\%username%

The following two commands are simple drive mappings to shared directories.

C:\>net use i: \\galaxy\shared
C:\>net use w: \\galaxy\WEB-Server

Remote printers can also be mapped to local printer ports, below is a mapping for both of the shared printers.

C:\>net use lpt1 \\galaxy\laser
C:\>net use lpt2 \\galaxy\bubblejet

The "net use" command can be used again to see that status of our newly connected shares.

C:\>net use
OK           H:        \\galaxy\alice            Microsoft Windows Network
OK           I:        \\galaxy\Shared           Microsoft Windows Network
OK           W:        \\galaxy\WEB-Server       Microsoft Windows Network
OK           LPT1:     \\galaxy\laser            Microsoft Windows Network

The "net use" command can also be used to disconnect from a shared resource.

C:\>net use w: /delete

Automating the Connections

The Microsoft windows clients are able to automate drive and printer mappings by using a login script. When connecting MS workstations in a large scale network, login scripts are normally always used to configure the local workstations and user accounts to meet the needs and policies of the organisation.

The following is an example login batch script for Windows workstations.

C:\>edit login.bat
@echo off

echo Mapping Network Resources...

echo Mapping: Home Directory
net use h: \\galaxy\%username%

echo Mapping: Shared Directory
net use s: \\galaxy\shared

echo Mapping: Laser Printer
net use lpt1: \\galaxy\laser

echo Mapping: Bubblejet Printer
net use lpt2: \\galaxy\bubblejet

The Samba Client

The Samba suite of applications are not just for server use, they can also enable a Linux workstation the ability to mount a shared Windows resource as part of its own filesystem. The smbclient application requires the use of a valid username and password that has been configured on the Microsoft server/workstation that it will be connecting too, unless the guest account has been enabled on the target system.

To obtain a complete list of all the workstations available on the local network, type the "findsmb" command at the prompt.

[bash]# findsmb
---------------------------------------------------------------------     GALAXY        *[MYGROUP] [Unix] [Samba 3.0.10-2]   WINBOX1        [WINBOX1] [Windows 5.1] [Windows 2000 LAN Manager]   WINBOX2        [WINBOX2] [Windows 5.1] [Windows 2000 LAN Manager]   WINBOX3        [WINBOX3] [Windows 5.1] [Windows 2000 LAN Manager]   WINBOX4        [WINBOX4] [Windows 5.1] [Windows 2000 LAN Manager]

The smbclient can be used to obtain a detailed list of shared resources from a specified host on the local network. In this example we are asking for a list of resources from the Samba server called "galaxy". Because the server is not configured with an active guest account, we need to pass a valid username (-U) in the process, in this case alice.

[bash]# smbclient -U alice -L galaxy
Domain=[GALAXY] OS=[Unix] Server=[Samba 3.0.10-2]

        Sharename       Type      Comment
        ---------       ----      -------
        Shared          Disk      Global Share - All Users
        SmallGroup      Disk      Small Share - Few Users
        Financial       Disk      RESTRICTED - Financial Cell
        FTP-Server      Disk      READ ONLY - Corp FTP Server
        IPC$            IPC       IPC Service (Samba Server)
        ADMIN$          IPC       IPC Service (Samba Server)
        bubblejet       Printer   HP PhotoSmart 7200 Series
        laser           Printer   Brother HL-1430 Laser Printer
        alice           Disk      Home Directory

Domain=[GALAXY] OS=[Unix] Server=[Samba 3.0.10-2]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        MYGROUP              GALAXY

The following example is similar to above, however we are obtaining a list from the Microsoft client called "winbox1" which is a Windows XP desktop. A valid username (-U) is also used in the remote request.

[bash]# smbclient -U alice -L winbox1
Domain=[WINBOX1] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

        Sharename       Type      Comment
        ---------       ----      -------
        E$              Disk      Default share
        IPC$            IPC       Remote IPC
        D$              Disk      Default share
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Shared          Disk      Full Share for ALL !!!

Domain=[WINBOX1] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

After you have browsed the network computers and found a valid resource to connect to, the smbmount command can be used to mount the remote share into the filesystem of your Linux workstation. This command is assuming there is guest access available on the winbox1 windows computer.

[bash]# smbmount //winbox1/Shared /media/winbox1/shared -o guest

The following two commands are essentially exactly the same, they are both connecting the remote "C" drive to the /media/winbox1/cdrive mount point. They are also connecting as the remote "administrator" account and being prompted for the accounts password.

[bash]# smbmount //winbox1/C$ /media/winbox1/cdrive -o username=administrator
[bash]# mount -t smbfs //winbox1/C$ /media/winbox1/cdrive -o username=administrator

This command is the same as the two above commands, however the password is being declared on the command line. This command can be used to automate a connection using shell scripts, however it may also disclose the username and password combination to unauthorised users.

[bash]# smbmount //winbox1/C$ /media/winbox1/cdrive -o username=administrator,password="secret"

To disconnect a remote resource from its mount point, use the following "umount" command.

[bash]# umount /media/winbox1/cdrive

To view all the currently active connections, you can view the contents of the "/etc/mtab" file.

[bash]# cat /etc/mtab
//winbox1/C$ /media/winbox1/cdrive smbfs  0 0

To automate SMB connections during system startup, an entry similar to the example below can be placed into the "/etc/fstab" file. You should be aware that the /etc/fstab file is world readable.

[bash]# vi /etc/fstab
//winbox1/Shared    /media/winbox1/shared    smbfs    noauto,user,username=alice,password=secret 0 0

Warning !! The file permissions for the /etc/fstab file are world readable, therefore any local user on the Linux system can view the username and password combination inside the file.

For further details on automatically mounting remote SMB shares, type "man fstab" at the command prompt.

Home Next