Samba
Related articles
Samba is a re-implementation of the SMB networking protocol. It facilitates file and printer sharing among Linux and Windows systems as an alternative to NFS. This article provides instructions for users on how to setup Samba.
Contents
- 1 Server configuration
- 2 Client configuration
- 3 Tips and tricks
-
4 Troubleshooting
- 4.1 Failed to start Samba SMB/CIFS server
- 4.2 Unable to overwrite files, permissions errors
- 4.3 Windows clients keep asking for password even if Samba shares are created with guest permissions
- 4.4 Windows 7 connectivity problems - mount error(12): cannot allocate memory
- 4.5 Error: Failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
- 4.6 Sharing a folder fails
- 4.7 "Browsing" network fails with "Failed to retrieve share list from server"
- 4.8 Protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
- 4.9 Connection to SERVER failed: (Error NT_STATUS_UNSUCCESSFUL)
- 4.10 Connection to SERVER failed: (Error NT_STATUS_CONNECTION_REFUSED)
- 4.11 Password Error when correct credentials are given (error 1326)
- 4.12 Mapping reserved Windows characters
- 4.13 Folder shared inside graphical environment is not available to guests
- 5 See also
Server configuration
To share files with Samba, install the samba package.
smb.conf
Samba is configured in /etc/samba/smb.conf
, if this file doesn't exist smbd will fail to start.
To get started you can copy the default config file /etc/samba/smb.conf.default
:
# cp /etc/samba/smb.conf.default /etc/samba/smb.conf
The available options are documented in the smb.conf(5) man page.
Whenever you modify the file run the testparm
command to check for syntactic errrors.
Open /etc/samba/smb.conf
, and scroll down to the Share Definitions section. The default configuration automatically creates a share for each user's home directory.
The workgroup
specified in smb.conf
has to match the in use Windows workgroup (default WORKGROUP
).
Starting services
To provide basic file sharing through SMB start/enable smbd.service
and/or nmbd.service
services. See the smbd(8) and nmbd(8) man pages for details, as the nmbd.service
service may not always be required.
"Usershare" is a feature that gives non-root users the capability to add, modify, and delete their own share definitions.
This creates the usershare directory in /var/lib/samba
:
# mkdir -p /var/lib/samba/usershare
This creates the group sambashare:
# groupadd -r sambashare
This changes the owner of the directory to root and the group to sambashare:
# chown root:sambashare /var/lib/samba/usershare
This changes the permissions of the usershare directory so that users in the group sambashare can read, write and execute files:
# chmod 1770 /var/lib/samba/usershare
Set the following parameters in the smb.conf
configuration file:
/etc/samba/smb.conf
... [global] usershare path = /var/lib/samba/usershare usershare max shares = 100 usershare allow guests = yes usershare owner only = yes ...
Add your user to the sambashare group. Replace your_username
with the name of your user:
# gpasswd sambashare -a your_username
Restart smbd.service
and nmbd.service
services.
Log out and log back in. You should now be able to configure your samba share using GUI. For example, in Thunar you can right click on any directory and share it on the network. If you want to share paths inside your home directory you must make it listable for the group others.
Adding a user
Samba requires a Linux user account - you may use an existing user account or create a new one.
Although the user name is shared with Linux system, Samba uses a password separate from that of the Linux user accounts. Replace samba_user
with the chosen Samba user account:
# smbpasswd -a samba_user
Depending on the server role, existing File permissions and attributes may need to be altered for the Samba user account.
If you want the new user only to be allowed to remotely access the file server shares through Samba, you can restrict other login options:
- disabling shell -
usermod --shell /usr/bin/nologin --lock username
- disabling SSH logons - edit
/etc/ssh/sshd_conf
, change optionAllowUsers
Also see Security for hardening your system.
Changing Samba user's password
To change a user's password, use smbpasswd
:
# smbpasswd samba_user
Required ports
If you are using a firewall, do not forget to open required ports (usually 137-139 + 445). For a complete list please check Samba port usage.
Client configuration
For a lightweight method (without support for listing public shares, etc.), only install cifs-utils to provide /usr/bin/mount.cifs
.
Install smbclient for an ftp-like command line interface. See man smbclient
for commonly used commands.
Depending on the desktop environment, GUI methods may be available. See #File manager configuration for use with a file manager.
The following command lists public shares on a server:
$ smbclient -L hostname -U%
Alternatively, running smbtree will show a tree diagram of all the shares. This is not advisable on a network with a lot of computers, but can be helpful for diagnosing if you have the correct sharename.
$ smbtree -b -N
Where the options are -b
(--broadcast
) to use broadcast instead of using the master browser and -N
(-no-pass
) to not ask for a password.
NetBIOS/WINS host names
You may need to start/enable winbindd in order to resolve host names with e.g., mount.cifs
The smbclient package provides a driver to resolve host names using WINS. To enable it, add “wins” to the “hosts” line in /etc/nsswitch.conf.
Manual mounting
Create a mount point for the share:
# mkdir /mnt/mountpoint
Mount the share using mount.cifs
as type
. Not all the options listed below are needed or desirable:
# mount -t cifs //SERVER/sharename /mnt/mountpoint -o user=username,password=password,uid=username,gid=group,workgroup=workgroup,ip=serverip,iocharset=utf8
To allow users to mount it as long as the mount point resides in a directory controllable by the user; i.e. the user's home, append the users
mount option.
SERVER
- The server name.
sharename
- The shared directory.
mountpoint
- The local directory where the share will be mounted.
-o [options]
- See
man mount.cifs
for more information.
Storing passwords in a world readable file is not recommended. A safer method is to create a credentials file:
/path/to/credentials/share
username=myuser password=mypass
Replace username=myuser,password=mypass
with credentials=/path/to/credentials/share
.
The credential file should explicitly readable/writeable to root:
# chmod 600 /path/to/credentials/share
Automatic mounting
As mount entry
This is an simple example of a cifs
mount entry that requires authentication:
/etc/fstab
//SERVER/sharename /mnt/mountpoint cifs username=myuser,password=mypass 0 0
To speed up the service on boot, add the x-systemd.automount
option to the entry:
/etc/fstab
//SERVER/SHARENAME /mnt/mountpoint cifs credentials=/path/to/smbcredentials/share,x-systemd.automount 0 0
As systemd unit
Create a new .mount
file inside /etc/systemd/system
, e.g. mnt-myshare.mount
.
Requires=
replace (if needed) with your Network configuration.
What=
path to share
Where=
path to mount the share
Options=
share mounting options
/etc/systemd/system/mnt-myshare.mount
[Unit] Description=Mount Share at boot Requires=systemd-networkd.service After=network-online.target Wants=network-online.target [Mount] What=//server/share Where=/mnt/myshare Options=credentials=/etc/samba/creds/myshare,iocharset=utf8,rw,x-systemd.automount Type=cifs TimeoutSec=30 [Install] WantedBy=multi-user.target
To use mnt-myshare.mount
, start the unit and enable it to run on system boot.
smbnetfs
First, check if you can see all the shares you are interested in mounting:
$ smbtree -U remote_user
If that does not work, find and modify the following line
in /etc/samba/smb.conf
accordingly:
domain master = auto
Now restart smbd.service
and nmbd.service
.
If everything works as expected, install smbnetfs from the official repositories.
Then, add the following line to /etc/fuse.conf
:
user_allow_other
Now copy the directory /etc/smbnetfs/.smb
to your home directory:
$ cp -a /etc/smbnetfs/.smb ~
Then create a link to smb.conf
:
$ ln -sf /etc/samba/smb.conf ~/.smb/smb.conf
If a username and a password are required to access some of the shared folders, edit ~/.smb/smbnetfs.auth
to include one or more entries like this:
~/.smb/smbnetfs.auth
auth "hostname" "username" "password"
It is also possible to add entries for specific hosts to be mounted by smbnetfs, if necessary.
More details can be found in ~/.smb/smbnetfs.conf
.
If you are using the Dolphin or GNOME Files, you may want to add the following to ~/.smb/smbnetfs.conf
to avoid "Disk full" errors as smbnetfs by default will report 0 bytes of free space:
~/.smb/smbnetfs.conf
free_space_size 1073741824
When you are done with the configuration, you need to run
$ chmod 600 ~/.smb/smbnetfs.*
Otherwise, smbnetfs complains about 'insecure config file permissions'.
Finally, to mount your Samba network neighbourhood to a directory of your choice, call
$ smbnetfs mount_point
Daemon
The Arch Linux package also maintains an additional system-wide operation mode for smbnetfs. To enable it, you need to make the
said modifications in the directoy /etc/smbnetfs/.smb
.
Then, you can start and/or enable the smbnetfs
daemon as usual. The system-wide mount point is at /mnt/smbnet/
.
autofs
See Autofs for information on the kernel-based automounter for Linux.
File manager configuration
GNOME Files, Nemo, Caja, Thunar and PCManFM
In order to access samba shares through GNOME Files, Nemo, Caja, Thunar or PCManFM, install the gvfs-smb package, available in the official repositories.
Press Ctrl+l
and enter smb://servername/share
in the location bar to access your share.
The mounted share is likely to be present at /run/user/your_UID/gvfs
or ~/.gvfs
in the filesystem.
KDE
KDE has the ability to browse Samba shares built in. To use a GUI in the KDE System Settings, you will need to install the kdenetwork-filesharing package from the official repositories.
If you get a "Time Out" Error when navigating with Dolphin, you should uncomment and edit the following line in smb.conf:name resolve order = lmhosts bcast host wins
as shown in this page.
Other graphical environments
There are a number of useful programs, but they may need to have packages created for them. This can be done with the Arch package build system. The good thing about these others is that they do not require a particular environment to be installed to support them, and so they bring along less baggage.
- pyneighborhood is available in the official repositories.
- LinNeighborhood, RUmba, xffm-samba plugin for Xffm are not available in the official repositories or the AUR. As they are not officially (or even unofficially supported), they may be obsolete and may not work at all.
Tips and tricks
Samba offers an option to block files with certain patterns, like file extensions. This option can be used to prevent dissemination of viruses or to dissuade users from wasting space with certain files. More information about this option can be found in man smb.conf
.
/etc/samba/smb.conf
... [myshare] comment = Private path = /mnt/data read only = no veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/*.mp3/*.avi/*.mp4/*.wmv/*.wma/
If nothing is known about other systems on the local network, and automated tools such as smbnetfs are not available, the following methods allow one to manually probe for Samba shares.
1. First, install the nmap and smbclient packages.
2. nmap
checks which ports are open:
# nmap -p 139 -sT "192.168.1.*"
In this case, a scan on the 192.168.1.* IP address range and port 139 has been performed, resulting in:
$ nmap -sT "192.168.1.*"
Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2005-02-15 11:45 PHT Interesting ports on 192.168.1.1: (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 139/tcp open netbios-ssn 5000/tcp open UPnP Interesting ports on 192.168.1.5: (The 1662 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 6000/tcp open X11 Nmap run completed -- 256 IP addresses (2 hosts up) scanned in 7.255 seconds
The first result is another system; the second happens to be the client from where this scan was performed.
3. Now that systems with port 139 open are revealed, use nmblookup
to check for NetBIOS names:
$ nmblookup -A 192.168.1.1
Looking up status of 192.168.1.1 PUTER <00> - B <ACTIVE> HOMENET <00> - <GROUP> B <ACTIVE> PUTER <03> - B <ACTIVE> PUTER <20> - B <ACTIVE> HOMENET <1e> - <GROUP> B <ACTIVE> USERNAME <03> - B <ACTIVE> HOMENET <1d> - B <ACTIVE> MSBROWSE <01> - <GROUP> B <ACTIVE>
Regardless of the output, look for <20>, which shows the host with open services.
4. Use smbclient
to list which services are shared on PUTER. If prompted for a password, pressing enter should still display the list:
$ smbclient -L \\PUTER
Sharename Type Comment --------- ---- ------- MY_MUSIC Disk SHAREDDOCS Disk PRINTER$ Disk PRINTER Printer IPC$ IPC Remote Inter Process Communication Server Comment --------- ------- PUTER Workgroup Master --------- ------- HOMENET PUTER
Remote control of Windows computer
Samba offers a set of tools for communication with Windows. These can be handy if access to a Windows computer through remote desktop is not an option, as shown by some examples.
Send shutdown command with a comment:
$ net rpc shutdown -C "comment" -I IPADDRESS -U USERNAME%PASSWORD
A forced shutdown instead can be invoked by changing -C with comment to a single -f. For a restart, only add -r, followed by a -C or -f.
Stop and start services:
$ net rpc service stop SERVICENAME -I IPADDRESS -U USERNAME%PASSWORD
To see all possible net rpc command:
$ net rpc
Edit /etc/samba/smb.conf
and add the following line:
map to guest = Bad User
After this line:
security = user
Restrict the shares data to a specific interface replace:
; interfaces = 192.168.12.2/24 192.168.13.2/24
with:
interfaces = lo eth0 bind interfaces only = true
Optionally edit the account that access the shares, edit the following line:
; guest account = nobody
For example:
guest account = pcguest
And do something in the likes of:
# useradd -c "Guest User" -d /dev/null -s /bin/false pcguest
Then setup a "" password for user pcguest.
The last step is to create share directory (for write access make writable = yes):
[Public Share] path = /path/to/public/share available = yes browsable = yes public = yes writable = no
Sample Passwordless Configuration
This is the configuration I use with samba 4 for easy passwordless filesharing with family on a home network. Change any options needed to suit your network (workgroup and interface). I'm restricting it to the static IP I have on my ethernet interface, just delete that line if you do not care which interface is used.
/etc/samba/smb.conf
[global] workgroup = WORKGROUP server string = Media Server security = user map to guest = Bad User log file = /var/log/samba/%m.log max log size = 50 interfaces = 192.168.2.194/24 dns proxy = no [media] path = /shares public = yes only guest = yes writable = yes [storage] path = /media/storage public = yes only guest = yes writable = yes
Build Samba without CUPS
Just build without cups installed. From the Samba Wiki:
Samba has built-in support [for CUPS] and defaults to CUPS if the development package (aka header files and libraries) could be found at compile time.
Of course, modifications to the PKGBUILD will also be necessary: libcups will have to be removed from the depends and makedepends arrays and other references to cups and printing will need to be deleted. In the case of the 4.1.9-1 PKGBUILD, 'other references' includes lines 169, 170 and 236:
mkdir -p ${pkgdir}/usr/lib/cups/backend ln -sf /usr/bin/smbspool ${pkgdir}/usr/lib/cups/backend/smb install -d -m1777 ${pkgdir}/var/spool/samba
Troubleshooting
Failed to start Samba SMB/CIFS server
Check if the permissions are set correctly for /var/cache/samba/
and restart the smbd.service
or smbd.socket
:
# chmod 0755 /var/cache/samba/msg
Unable to overwrite files, permissions errors
Possible solutions:
- Append the mount option
nodfs
to the/etc/fstab
entry. - Add
msdfs root = no
to the[global]
section of the server's/etc/samba/smb.conf
.
Set map to guest
inside the global
section of /etc/samba/smb.conf
:
map to guest = Bad User
Windows 7 connectivity problems - mount error(12): cannot allocate memory
A known Windows 7 bug that causes "mount error(12): cannot allocate memory" on an otherwise perfect cifs share on the Linux end can be fixed by setting a few registry keys on the Windows box as follows:
-
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\LargeSystemCache
(set to1
) -
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\Size
(set to3
)
Alternatively, start Command Prompt in Admin Mode and execute the following:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "Size" /t REG_DWORD /d 3 /f
Do one of the following for the settings to take effect:
- Restart Windows
- Restart the Server service via services.msc
- From the Command Prompt run: 'net stop lanmanserver' and 'net start lanmanserver' - The server may automatically restart after stopping it.
Error: Failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
If you are a home user and using samba purely for file sharing from a server or NAS, you are probably not interested in sharing printers through it. If so, you can prevent this error from occurring by adding the following lines to your /etc/samba/smb.conf
:
load printers = No printing = bsd printcap name = /dev/null disable spoolss = Yes
Restart the samba service, smbd.service
, and then check your logs:
cat /var/log/samba/smbd.log
and the error should now no longer be appearing.
Sharing a folder fails
It means that while you are sharing a folder from Dolphin (file manager) and everything seems ok at first, after restarting Dolphin the share icon is gone from the shared folder, and also some output like this in terminal (Konsole) output:
‘net usershare’ returned error 255: net usershare: usershares are currently disabled
To fix it, enable usershare as described in #Creating usershare path.
And you are using a firewall (iptables) because you do not trust your local (school, university, hotel) local network. This may be due to the following: When the smbclient is browsing the local network it sends out a broadcast request on udp port 137. The servers on the network then reply to your client but as the source address of this reply is different from the destination address iptables saw when sending the request for the listing out, iptables will not recognize the reply as being "ESTABLISHED" or "RELATED", and hence the packet is dropped. A possible solution is to add:
iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
to your iptables setup.
Protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
The client probably does not have access to shares. Make sure clients' IP address is in hosts allow =
line in /etc/samba/smb.conf
.
Connection to SERVER failed: (Error NT_STATUS_UNSUCCESSFUL)
You are probably passing wrong server name to smbclient
. To find out the server name, run hostnamectl
on the server and look at "Transient hostname" line
Connection to SERVER failed: (Error NT_STATUS_CONNECTION_REFUSED)
Make sure that the server has started. The shared directories should exist and be accessible.
Password Error when correct credentials are given (error 1326)
Samba 4.5 has NTLMv1 authentication disabled by default. It is recommend to install the latest available upgrades on clients and deny access for unsupported clients.
If you still need support for very old clients without NTLMv2 support (e.g. Windows XP), it is possible force enable NTLMv1, although this is not recommend for security reasons:
/etc/samba/smb.conf
[global] lanman auth = yes ntlm auth = yes
If NTLMv2 clients are unable to authenticate when NTLMv1 has been enabled, create the following file on the client:
/home/user/.smb/smb.conf
[global] sec = ntlmv2 client ntlmv2 auth = yes
This change also affects samba shares mounted with mount.cifs. If after upgrade to Samba 4.5 your mount fails, add the sec=ntlmssp option to your mount command, e.g.
mount.cifs //server/share /mnt/point -o sec=ntlmssp,...
See the mount.cifs(8) man page: ntlmssp - Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message. The default in mainline kernel versions prior to v3.8 was sec=ntlm. In v3.8, the default was changed to sec=ntlmssp.
Mapping reserved Windows characters
Starting with kernel 3.18, the cifs module uses the "mapposix" option by default.
When mounting a share using unix extensions and a default Samba configuration, files and directories containing one of the seven reserved Windows characters : \ * < > ?
are listed but cannot be accessed.
Possible solutions are:
- Use the undocumented
nomapposix
mount option for cifs
# mount.cifs //server/share /mnt/point -o nomapposix
- Configure Samba to remap
mapposix
("SFM", Services for Mac) style characters to the correct native ones using fruit
/etc/samba/smb.conf
[global] vfs objects = catia fruit fruit:encoding = native
- Manually remap forbidden characters using catia
/etc/samba/smb.conf
[global] vfs objects = catia catia:mappings = 0x22:0xf022, 0x2a:0xf02a, 0x2f:0xf02f, 0x3a:0xf03a, 0x3c:0xf03c, 0x3e:0xf03e, 0x3f:0xf03f, 0x5c:0xf05c, 0x7c:0xf07c, 0x20:0xf020
The latter approach (using catia or fruit) has the drawback of filtering files with unprintable characters.
This section presupposes:
- Usershares are configured following previous section
- A shared folder has been created as a non-root user from GUI
- Guests access has been set to shared folder during creation
- Samba service has been restarted at least once since last
/etc/samba/smb.conf
file modification
For clarification purpose only, in the following sub-sections is assumed:
- Shared folder is located inside user home directory path (
/home/yourUser/Shared
) - Shared folder name is MySharedFiles
- Guest access is read-only.
- Windows users will access shared folder content without login prompt
Verify correct samba configuration
Run the following command from a terminal to test configuration file correctness:
$ testparm
If everything is fine among output lines you may read
Press enter to see a dump of your service definitions
If it is not, please correct file accordingly to command error notifications.
Press the Enter key in order to dump samba configuration. The following options must be listed.
/etc/samba/smb.conf
[global] ... some options here ... usershare max shares = 100 usershare path = /var/lib/samba/usershare map to guest = Bad Password ... other options here ...
If previous option are not present, modify /etc/samba/smb.conf
file in order to add them all.
Run the following commands from a terminal:
$ cd /var/lib/samba/usershare $ ls
If everything is fine, you will notice a file named mysharedfiles
Read the file contents using the following command:
$ cat mysharedfiles
The terminal output should display something like this:
/var/lib/samba/usershare/mysharedfiles
path=/home/yourUser/Shared comment= usershare_acl=S-1-1-0:r guest_ok=y sharename=MySharedFiles
Verify folder access by guest
Run the following command from a terminal. If prompted for a password, just press Enter:
$ smbclient -L localhost
If everything is fine, MySharedFiles should be displayed under Sharename
column
Run the following command in order to access the shared folder as guest (anonymous login)
$ smbclient -N //localhost/MySharedFiles
If everything is fine samba client prompt will be displayed:
smb: \>
From samba prompt verify guest can list directory contents:
smb: \> ls
If NTFS_STATUS_ACCESS_DENIED
error displayed, probably there is something to be solved at directory permission level.
Run the following commands as root to set correct permissions for folders:
# cd /home # chmod -R 755 /home/yourUser/Shared
Access shared folder again as guest to be sure guest read access error has been solved.