Samba file server

From Ever changing code
Revision as of 09:07, 12 November 2020 by Pio2pio (talk | contribs) (→‎Samba server)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Install

Samba server

apt-cache policy samba | grep -A1 Installed # check version it will install
sudo apt-get install samba -y
sudo apt-get install libpam-smbpass  #required for Unix password sync but it's difficult to set it up
Main services
sudo service smbd restart
sudo service nmbd restart
Configuration
sudo vi /etc/samba/smb.conf
Reload
sudo smbcontrol all reload-config

Samba client

This will allow to connect, browse and mount samba shares

sudo apt-get install smbclient

Usage

smb://192.168.1.65                                     #UNC path, for Nautilus or other file manager

# List shares and files
$ smbclient -L //windowsserver/tmp -Ujohndoe%secret   #list remote shares
$ smbclient -L //windowsserver/share1 -U guest%       #for open shares, notice // is required because it's Linux SMB
$ smbclient -L \\windowsserver.local -U${domainName}/${user}  #when a share requires providing domain
$ smbclient -L //windowsserver.local/share1 -U${user}
WARNING: The "syslog" option is deprecated
Enter user's password: ****  (AD password)
 
Domain=[TPPLC] OS=[Unix] Server=[Samba 3.4.3 based HP CIFS Server A.03.01.05]
 
    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (HP OFF-B Server)
    RMS             Disk     
    CreditStorm     Disk
smbclient -L localhost -U%                             #list samba server its own shares
sudo smbstatus -S
smbtree                                                #network browser, an equivalent of "Network Neighborhood" in Windows
Connect to Windows share, this will allow for FTP type commands, type help for more options
$ smbclient //windowsserver/Piotr -UPiotr%password
Enter Piotr's password:</span>
Domain=[WINDOWSSERVER] OS=[Windows 8.1 9600] Server=[Windows 8.1 6.3]
smb: \> ls                  #list directory
smb: \> get filename.txt    #save a file from remote server -> a local system
File transfer upload/download
# Download a file
smbclient '//windowsserver/c$' -U administrator%password -c 'lcd /tmp; cd Directory; get file.txt'
# Download a file from a share's subdirectory 'test'
smbclient //server1.local/Share1/ -Udomain/user --directory test -c 'get filename.gz'
# -c command

# Upload a file
time smbclient //server1.local/Share1/ -Udomain/user --directory test -c 'put "1G.bin"' #don't use './' notation
Mount Windows share
sudo mount -t cifs //ntserver/share -o user=piotr,password=myPassword /mnt/ntserver_share
                                      #user can substituted with username or credentials
# -t smbfs : File system type to be mount (outdated RHEL <=4 or Debian <= 3, use cifs)
# -t cifs : File system type to be mount
# -o : are options passed to mount command
# //ntserver/download - Windows 2000/NT share name
# /mnt/ntserver_share - Linux mount point

# Other notation
sudo mount -t cifs //ntserver/share -o username=user@domain,password=**** /mnt/<mountpoint>

Manage CIFS from linux terminal

The Samba net utility is meant to work just like the net utility available for windows and DOS. The first argument should be used to specify the protocol to use when executing a certain command. ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) clients and RPC can be used for NT4 and Windows 2000. If this argument is omitted, net will try to determine it automatically. Not all commands are available on all protocols.

net {<ads|rap|rpc>} [-h] [-w workgroup] [-W myworkgroup] [-U user] [-I ip-address] [-p port] [-n myname] [-s conffile] [-S server] [-l] [-P] [-d debuglevel] [-V] [--request-timeout seconds]

Create a share

net usershare add share_name /home/user/somefolder "Share description" everyone:F guest_ok=y

To make these shares permanent create a file for each share under /var/lib/samba/usershares/ using:

net usershare info --long share_name > /var/lib/samba/usershares/share_name

This has a further advantage a desktop like KDE/GNOME/MATE/Unity the directories will show up as shared in the file manager (Dolphin, Nautilus etc.). That's cause the net username//var/lib/samba/usershares/ thing is the same mechanism that Dolphin and Nautilus use when you share directories in the GUI.

Check setting of newly created share

net usershare info --long

Although creating a share gives an access to subfolders by default, sometimes permissions for CIFS shares need fixing. Check and compare permissions then issue:

sudo chmod -R a+rwX /path/to/someDirectory

or lighter version if others (guests) do not need write access

sudo chmod -R og+rwX /path/to/someDirectory

Homes share

If you wish to access password-less to the home share your AD password needs to be in sync (the same) with the password database that Samba server maintain locally.

Edit the main config file

sudo vi  /etc/samba/smb.conf

Find and uncomment 'homes' section

[homes]
  comment = Home Directories
  browseable = yes
  read only = no

Although unix password sync = yes boolean parameter is set I had to add a user/password to SAM database. This is known problem, therefore easiest is to maintain so separate passwords although they can be the same.

Manage the SAM database (Database of Samba Users)

Because /etc/passwd does not store enough information about accounts for using with Windows Shares, samba maintain its own user/password database. This is used based on a authentication setup in /etc/samba/smb.conf

$ sudo smbpasswd -a piotr  #add user piotr and give a password
$ sudo pdbedit -L -v       #list all Samba users  -v verbose -w  "smbpasswd" listing format
piotr:1000:Piotr

Find SAM databases, use tdbdump tool to manage its rescords in a format tdbdump /var/lib/samba/private/passdb.tdb

$ locate .tdb
/var/cache/samba/gencache.tdb
/var/cache/samba/printing/printers.tdb
/var/lib/samba/account_policy.tdb
/var/lib/samba/group_mapping.tdb
/var/lib/samba/registry.tdb
/var/lib/samba/share_info.tdb
/var/lib/samba/private/passdb.tdb
/var/lib/samba/private/secrets.tdb

Troubleshooting

Testparm

Once you know there's a daemon, you should always run testparm, in hopes of getting something such as the following:

$ sudo testparm 
Load smb config files from /opt/samba/lib/smb.conf
Processing section "[homes]" 
Processing section "[printers]" ... 
Processing section "[tmp]" 
Loaded services file OK. ...
testparm /usr/local/samba/lib/smb.conf client 192.168.1.10

This will run one more test that checks the hostname and address against hosts allow and hosts deny options and might produce the Allow connection from hostname to service and/or Deny connection from hostname to service messages for the client system. These messages indicate that you have hosts allow and/or hosts deny options in your smb.conf, and they prohibit access from the client system.

Add member to Samba server

It is recommended that your user be a member of the sambashare group then enable File Sharing Server With User Login (Very Reliable Method) On machine you file share add current user to Samba:

sudo smbpasswd -a username

nmblookup

nmblookup -B BIGSERVER __SAMBA__   #you should get back the IP address of your Samba server.

If you do not, then nmbd is incorrectly installed. Check your inetd.conf if you run it from there, or that the daemon is running and listening to UDP port 137. One common problem is that many inetd implementations can't take many parameters on the command line. If this is the case, then create a one-line script that contains the right parameters and run that from inetd.

nmblookup -B ACLIENT `*'   #you should get the PC's IP address back

If you do not, then the client software on the PC isn't installed correctly, or isn't started, or you got the name of the PC wrong. If ACLIENT does not resolve via DNS, then use the IP address of the client in the above test.

nmblookup -d 2 `*'   #the same as the previous test but are trying it via a broadcast to the default broadcast address

A number of NetBIOS/TCP/IP hosts on the network should respond, although Samba may not catch all of the responses in the short time it listens. You should see the got a positive name query response messages from several hosts. If this does not give a result similar to the previous test, then nmblookup isn't correctly getting your broadcast address through its automatic mechanism. In this case you should experiment with the interfaces option in smb.conf to manually configure your IP address, broadcast, and netmask.

If your PC and server aren't on the same subnet, then you will need to use the -B option to set the broadcast address to that of the PC's subnet.

This test will probably fail if your subnet mask and broadcast address are not correct. (Refer to test 3 notes above).

smbclient //BIGSERVER/TMP  #you should then be prompted for a password

You should use the password of the account with which you are logged into the UNIX box. If you want to test with another account, then add the -U accountname option to the end of the command line for example, smbclient //bigserver/tmp -Ujohndoe.

Note

It is possible to specify the password along with the username as follows: smbclient //bigserver/tmp -Ujohndoe%secret

Once you enter the password, you should get the smb> prompt. If you do not, then look at the error message. If it says “invalid network name,” then the service tmp is not correctly set up in your smb.conf.

trace connection

Using strace you can debug samba connection.

user@server $ strace -e connect smbclient //sambaserver.local/Overnight -U <domain>\\<user>
WARNING: The "syslog" option is deprecated
Enter <domain>\<user>'s password: 
connect(5, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(5, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(5, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.34.99.10")}, 16) = 0
connect(5, {sa_family=AF_INET, sin_port=htons(445), sin_addr=inet_addr("172.31.101.183")}, 16) = -1 EINPROGRESS (Operation now in progress)
connect(6, {sa_family=AF_INET, sin_port=htons(139), sin_addr=inet_addr("172.31.101.183")}, 16) = -1 EINPROGRESS (Operation now in progress)
connect(5, {sa_family=AF_INET, sin_port=htons(445), sin_addr=inet_addr("172.31.101.183")}, 16) = -1 EALREADY (Operation already in progress)
connect(6, {sa_family=AF_INET, sin_port=htons(139), sin_addr=inet_addr("172.31.101.183")}, 16) = -1 EALREADY (Operation already in progress)
Domain=[<domain>] OS=[Windows Server 2008 R2 Standard 7601 Service Pack 1] Server=[Windows Server 2008 R2 Standard 6.1]
smb: \> +++ exited with 0 +++

References