Samba: Difference between revisions
(28 intermediate revisions by 2 users not shown) | |||
Line 11: | Line 11: | ||
== Samba Client == |
== Samba Client == |
||
=== Linux === |
|||
* To mount a samba share in Linux (see [http://en.opensuse.org/SDB:Access_to_Windows_Shares]): |
* To mount a samba share in Linux (see [http://en.opensuse.org/SDB:Access_to_Windows_Shares]): |
||
<source lang="bash"> |
|||
mkdir -p /windows/winshare |
|||
mount -t cifs //winmachine/testshare /windows/winshare |
|||
mount -t cifs -o username=user,password=secret //winmachine/testshare /windows/winshare |
|||
sudo mount -t cifs -o username=baddreams,uid=1000,gid=124 //phoenix/D$ /net/phoenix/d |
|||
</source> |
</source> |
||
* Better always specify option ''sec=[lanman,ntlm,ntlmv2]'' to avoid pernission denied error (see [https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1113395 bug 1113395]): |
|||
<source lang="bash"> |
|||
sudo mount -t cifs -o username=baddreams,uid=1000,gid=124,sec=ntlm //phoenix/D$ /net/phoenix/d |
|||
</source> |
|||
* Or make it an entry in <tt>/etc/fstab</tt>. Note that '''gid=124''' refers to group '''sambashare'''. |
* Or make it an entry in <tt>/etc/fstab</tt>. Note that '''gid=124''' refers to group '''sambashare'''. |
||
{{lp2|<pre> |
{{lp2|1=<pre> |
||
//mnemosyne/backup /net/mnemosyne/backuprw cifs username=backup |
//mnemosyne/backup /net/mnemosyne/backuprw cifs username=backup,uid=999,gid=124 |
||
</pre>}} |
</pre>}} |
||
;Share with passwords |
|||
* There are 4 possibilities to give the password: by the command-line, by env. var <code>PASSWD</code>, by a credential file or interactively. |
|||
* '''TIP!''' To pass the password via env. var <code>PASSWD</code>, first make sure that file {{file|/etc/sudoers}} contains the following: |
|||
Defaults env_keep += "PASSWD" |
|||
:Then the password can be passed to <code>mount</code> as follows: |
|||
<source lang=bash> |
|||
stty -echo |
|||
read -p "password for user $USER@$SHARE? " PASSWD |
|||
stty echo |
|||
echo |
|||
export PASSWD |
|||
sudo mount -t cifs noperm,iocharset=utf8,uid=$(id u),forceuid,gid=$(id g),forcegid,username=$USER $SHARE /smb |
|||
</source> |
|||
=== Windows === |
|||
Use the <code>net use</code> command to mount network samba share. |
|||
<source lang=bash> |
|||
net use G: \\localserver\beq06659 /USER:WORKGROUP\beq06659 # Better specify domain name to override any corporate domain |
|||
</source> |
|||
'''{{red|CAREFUL CORPORATE USER}}''' If you get the following error message although you are giving the correct password, you might need to specify the user '''DOMAIN''' as well (as specified in <tt>/etc/samba/smb.conf</tt>). |
|||
<pre> |
|||
The specified network password is not correct. |
|||
</pre> |
|||
== Samba Server == |
== Samba Server == |
||
Line 37: | Line 70: | ||
security = user |
security = user |
||
username map = /etc/samba/smbusers # ... does not seems mandatory though |
username map = /etc/samba/smbusers # ... does not seems mandatory though |
||
</source> |
|||
* If you are still using NTLM v1, you need to add this [https://github.com/dperson/samba/issues/41]: |
|||
<source lang=bash> |
|||
ntlm auth = yes |
|||
</source> |
</source> |
||
* Add the user |
* Add the user |
||
Line 59: | Line 96: | ||
guest ok = no |
guest ok = no |
||
read only = yes |
read only = yes |
||
create mask = |
create mask = 0644 |
||
directory mask = 0755 |
|||
[d] |
[d] |
||
Line 68: | Line 106: | ||
guest ok = no |
guest ok = no |
||
read only = yes |
read only = yes |
||
create mask = |
create mask = 0644 |
||
directory mask = 0755 |
|||
</source> |
</source> |
||
Line 91: | Line 130: | ||
|microsoft-ds||445||TCP||Microsoft Directory Service |
|microsoft-ds||445||TCP||Microsoft Directory Service |
||
|} |
|} |
||
As advised [http://troy.jdmz.net/samba/fw/ here], port '''135/tcp'''<ref>DCE RPC, i.e. Distributed Computing Environment and Remote Procedure Call</ref> is better left {{red|closed}} (was already exploited by worms), without causing defect. |
|||
=== Share without user/password === |
|||
Reference: [http://www.debuntu.org/guest-file-sharing-with-samba]. |
|||
The idea is to open up the samba shares to all computers on a private network (by restricting network interfaces). |
|||
* Edit <tt>/etc/samba/smb.conf</tt>. Set interfaces to ''lo'' and |
|||
<source lang=text> |
|||
interfaces = lo eth1 |
|||
bind interfaces only = true |
|||
</source> |
|||
* Make sure that ''security'' is set to ''share'' (not ''user''), and that ''guest'' account is enabled: |
|||
<source lang=text> |
|||
security = share |
|||
... |
|||
guest account = nobody |
|||
</source> |
|||
* Create a share accessible to guest users: |
|||
<source lang=text> |
|||
[Guest Share] |
|||
comment = Guest access share |
|||
path = /path/to/dir/to/share |
|||
browseable = yes |
|||
read only = yes |
|||
guest ok = yes |
|||
</source> |
|||
* Test that configuration is good with ''testparm'': |
|||
<source lang=bash> |
|||
testparm |
|||
</source> |
|||
* Restart ''samba'': |
|||
<source lang=bash> |
|||
sudo /etc/init.d/samba reload |
|||
</source> |
|||
== Mount as User == |
== Mount as User == |
||
Line 99: | Line 172: | ||
* mount spec in '''fstab''' must contain the option '''user''' (or '''users''' to let any user unmount). |
* mount spec in '''fstab''' must contain the option '''user''' (or '''users''' to let any user unmount). |
||
** It seems that option '''suid''' should be present as well, but does not seem to do anything good to me. |
** It seems that option '''suid''' should be present as well, but does not seem to do anything good to me. |
||
{{ |
{{pl2|1=<pre> |
||
//mnemosyne/public /net/mnemosyne/publicrw cifs noauto,users,guest |
//mnemosyne/public /net/mnemosyne/publicrw cifs noauto,users,guest 0 0 |
||
//mnemosyne/public /net/mnemosyne/public cifs noauto,users,ro,guest |
//mnemosyne/public /net/mnemosyne/public cifs noauto,users,ro,guest,suid 0 0 |
||
</pre>}} |
</pre>}} |
||
== Tips == |
|||
=== Auto-mount / unmount shares with systemd === |
|||
This tip is similar to using '''autofs'''. However it also enables to unmount automatically shares, so that there so no longer any 90 seconds timeout at shutdown [https://forum.manjaro.org/t/fstab-samba-mount-causing-stop-job-on-shutdown/45210/7] |
|||
Add to {{file|/etc/fstab}}: |
|||
<source lang=bash> |
|||
//10.0.0.2/Penny /mnt/penny cifs noauto,x-systemd.automount,x-gvfs-hide,x-systemd.device-timeout=10,x-systemd.idle-timeout=1min,credentials=/home/name/.smbcredentials,users,_netdev 0 0 |
|||
</source> |
|||
After that, reload daemon with <code>systemctrl daemon-reload</code> (or reboot). |
|||
This will auto-unmount the shares after 60s. |
|||
=== Auto-unmount shares on shutdown === |
|||
This tip requires NetworkManager [https://forum.manjaro.org/t/fstab-samba-mount-causing-stop-job-on-shutdown/45210/13]. |
|||
Create a file {{file|/etc/NetworkManager/dispatcher.d/pre-down.d/mount_cifs}}: |
|||
<source lang=bash> |
|||
#!/bin/bash |
|||
umount -a -l -t cifs |
|||
</source> |
|||
=== autofs mount tips === |
|||
* <code>echo_interval=4</code> |
|||
: Set also timeout interval to an unresponsive server. |
|||
== Troubleshooting == |
|||
=== Logging === |
|||
It seems that by default, logging is '''not''' enabled (?!?) on the samba, which is not very handy to troubleshoot connection issue. |
|||
To enable, add to {{file|/etc/samba/smb.conf}}: |
|||
<source lang=bash> |
|||
[global] |
|||
log level = 3 |
|||
log file = /var/log/samba/log.%m |
|||
</source> |
|||
Log level 3 already generates a ''lot'' of logging information, and should be used only for debugging purpose (higher level are reserved for samba developers). |
|||
=== Changes made on server not visible to clients === |
|||
We must disable the opportunistic locks [https://support.microsoft.com/en-us/help/296264/configuring-opportunistic-locking-in-windows], [https://lists.samba.org/archive/samba-technical/2002-October/025043.html], [https://www.samba.org/samba/docs/old/Samba3-HOWTO/locking.html]. |
|||
Add to each share configuration in file {{file|/etc/samba/smb.conf}}: |
|||
<source lang=bash> |
|||
[shareXYZ] |
|||
.... |
|||
oplocks = False |
|||
level2 oplocks = False |
|||
kernel oplocks = yes |
|||
</source> |
|||
=== Mount errors === |
|||
; <code>mount error(13): Permission denied</code> |
|||
* We have the following error when mounting a share with <code>sudo mount -t cifs //mnemosyne/movies /mnt/any -o rw,username=movies</code> |
|||
mount error(13): Permission denied |
|||
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) |
|||
* dmesg: |
|||
[20662.908952] CIFS VFS: Send error in SessSetup = -13 |
|||
[20662.909123] CIFS VFS: cifs_mount failed w/return code = -13 |
|||
* The fix is to add option '''sec=lanman''' (or ''sec=ntlm'', or ''sec=ntlmv2''). |
|||
:This is apparently due to ''/proc/fs/cifs/SecurityFlags'' being set to 0x81 instead of 0x07 in previous version of Ubuntu. See [https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1113395 bug 1113395] and https://www.kernel.org/doc/readme/fs-cifs-README. |
|||
<source lang=bash> |
|||
sudo mount -t cifs //mnemosyne/movies /mnt/any -o rw,username=movies,sec=ntlm |
|||
</source> |
|||
; <code>mount error(5): Input/output error</code> |
|||
* Solution: Use the server IP address instead of server name: |
|||
<source lang=bash> |
|||
sudo mount -v -t cifs -o noperm,iocharset=utf8,credentials=/etc/auto.smb.st.peetersm //docs.zav.st.com/MinaShare /mnt/any |
|||
# mount error(5): Input/output error |
|||
# Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) |
|||
sudo mount -v -t cifs -o noperm,iocharset=utf8,credentials=/etc/auto.smb.st.peetersm //10.136.3.100/MinaShare /mnt/any |
|||
</source> |
|||
* 2nd solution: make sure the '''hostname used is correct (no typo!)'''. Sometimes detecting typos is really hard because how weird |
|||
* 3rd solution: Verify hosts entry (first name must be the canonical name, followed by possible aliases). |
|||
=== Error <code>X and Y are the same file</code>=== |
|||
Trying to rename or copy files give the following error [https://superuser.com/questions/1132269/mv-command-reports-x-and-y-are-the-same-file-cifs-filesystem] |
|||
<source lang="bash"> |
|||
mv /mnt/Files_Apps/temp/IMG_5624.MOV "/mnt/Files_Apps/2016-07-19 21 39 21.MOV" |
|||
# mv: '/mnt/Files_Apps/temp/IMG_5624.MOV' and '/mnt/Files_Apps/2016-07-19 21 39 21.MOV' are the same file |
|||
</source> |
|||
The fix is to disable caching with <code>cache=none</code> in the mount options [https://superuser.com/questions/1132269/mv-command-reports-x-and-y-are-the-same-file-cifs-filesystem]. |
|||
=== Troubleshooting tips === |
|||
* Try using IP address instead of name. |
|||
* Try mount <code>-verbose</code> option. |
|||
* Try network mapper in Nautilus application. This may give a different error code or more detailed error. |
|||
* Try a samba client in user-land (like ''gigolo'' or ''smbfs'') to see if problem is in the kernel. |
|||
* Try <code>smbclient</code>. |
|||
:<code>smbclient -L someserver -m NT1</code> |
|||
* Enable logging level 3 and analyze the log. |
|||
* Read [https://www.samba.org/samba/docs/using_samba/ch12.html Troubleshooting Samba]. |
|||
== References == |
|||
<references/> |
Latest revision as of 11:41, 25 October 2021
This page is part of the Linux Disk Management pages.
References
- http://en.opensuse.org/SDB:Access_to_Windows_Shares
- See local documentation at /usr/share/doc/packages/samba/htmldocs (requires package samba documentation)
Packages
In Ubuntu, install the packages samba and smbfs.
Samba Client
Linux
- To mount a samba share in Linux (see [1]):
mkdir -p /windows/winshare
mount -t cifs //winmachine/testshare /windows/winshare
mount -t cifs -o username=user,password=secret //winmachine/testshare /windows/winshare
sudo mount -t cifs -o username=baddreams,uid=1000,gid=124 //phoenix/D$ /net/phoenix/d
- Better always specify option sec=[lanman,ntlm,ntlmv2] to avoid pernission denied error (see bug 1113395):
sudo mount -t cifs -o username=baddreams,uid=1000,gid=124,sec=ntlm //phoenix/D$ /net/phoenix/d
- Or make it an entry in /etc/fstab. Note that gid=124 refers to group sambashare.
//mnemosyne/backup /net/mnemosyne/backuprw cifs username=backup,uid=999,gid=124
- Share with passwords
- There are 4 possibilities to give the password: by the command-line, by env. var
PASSWD
, by a credential file or interactively. - TIP! To pass the password via env. var
PASSWD
, first make sure that file /etc/sudoers contains the following:
Defaults env_keep += "PASSWD"
- Then the password can be passed to
mount
as follows:
stty -echo
read -p "password for user $USER@$SHARE? " PASSWD
stty echo
echo
export PASSWD
sudo mount -t cifs noperm,iocharset=utf8,uid=$(id u),forceuid,gid=$(id g),forcegid,username=$USER $SHARE /smb
Windows
Use the net use
command to mount network samba share.
net use G: \\localserver\beq06659 /USER:WORKGROUP\beq06659 # Better specify domain name to override any corporate domain
CAREFUL CORPORATE USER If you get the following error message although you are giving the correct password, you might need to specify the user DOMAIN as well (as specified in /etc/samba/smb.conf).
The specified network password is not correct.
Samba Server
Installation
(From [2])
- Install Samba
sudo apt-get install samba smbfs
- Edit the configuration file /etc/samba/smb.conf
- Uncomment the line security = user, and add link to smbusers file
security = user
username map = /etc/samba/smbusers # ... does not seems mandatory though
- If you are still using NTLM v1, you need to add this [3]:
ntlm auth = yes
- Add the user
sudo smbpasswd -a beq06659
- Create the user mapping file that maps samba user to linux user in file /etc/samba/smbusers:
<linuxuser>="<sambauser>"
- Uncomment the section corresponding to the shares you want to enable:
[homes]
comment = Home Directories
browseable = no
[c]
comment = Windows Drive C
browseable = yes
path = /win/c
printable = no
guest ok = no
read only = yes
create mask = 0644
directory mask = 0755
[d]
comment = Windows Drive D
browseable = yes
path = /win/d
printable = no
guest ok = no
read only = yes
create mask = 0644
directory mask = 0755
- Don't forget to open the ports on your firewall !!!
- Restart the samba daemon
sudo /etc/init.d/smbd restart
Server Firewall Settings
The following ports must be opened ([4], [5]):
Service | Port | Prot | Description |
---|---|---|---|
netbios-ns | 137 | UDP | NetBIOS Name Service |
netbios-dgm | 138 | UDP | NetBIOS Datagram Service |
netbios-ssn | 139 | TCP | NetBIOS Session Service |
microsoft-ds | 445 | TCP | Microsoft Directory Service |
As advised here, port 135/tcp[1] is better left closed (was already exploited by worms), without causing defect.
Reference: [6].
The idea is to open up the samba shares to all computers on a private network (by restricting network interfaces).
- Edit /etc/samba/smb.conf. Set interfaces to lo and
interfaces = lo eth1
bind interfaces only = true
- Make sure that security is set to share (not user), and that guest account is enabled:
security = share
...
guest account = nobody
- Create a share accessible to guest users:
[Guest Share]
comment = Guest access share
path = /path/to/dir/to/share
browseable = yes
read only = yes
guest ok = yes
- Test that configuration is good with testparm:
testparm
- Restart samba:
sudo /etc/init.d/samba reload
Mount as User
To mount a samba share as a regular user (i.e. without sudo), the following conditions must be met:
/bin/mount
,/bin/umount
,/sbin/mount.cifs
,/sbin/umount.cifs
must be setuid (sudo chmod +s ...
)- share point must be owned by the user (
chown username mountpoint
).- May be optional, but does not hurt, set group of mount point to sambashare, and verify that the user is in that group
- mount spec in fstab must contain the option user (or users to let any user unmount).
- It seems that option suid should be present as well, but does not seem to do anything good to me.
//mnemosyne/public /net/mnemosyne/publicrw cifs noauto,users,guest 0 0 //mnemosyne/public /net/mnemosyne/public cifs noauto,users,ro,guest,suid 0 0
Tips
This tip is similar to using autofs. However it also enables to unmount automatically shares, so that there so no longer any 90 seconds timeout at shutdown [7]
Add to /etc/fstab:
//10.0.0.2/Penny /mnt/penny cifs noauto,x-systemd.automount,x-gvfs-hide,x-systemd.device-timeout=10,x-systemd.idle-timeout=1min,credentials=/home/name/.smbcredentials,users,_netdev 0 0
After that, reload daemon with systemctrl daemon-reload
(or reboot).
This will auto-unmount the shares after 60s.
This tip requires NetworkManager [8].
Create a file /etc/NetworkManager/dispatcher.d/pre-down.d/mount_cifs:
#!/bin/bash
umount -a -l -t cifs
autofs mount tips
echo_interval=4
- Set also timeout interval to an unresponsive server.
Troubleshooting
Logging
It seems that by default, logging is not enabled (?!?) on the samba, which is not very handy to troubleshoot connection issue.
To enable, add to /etc/samba/smb.conf:
[global]
log level = 3
log file = /var/log/samba/log.%m
Log level 3 already generates a lot of logging information, and should be used only for debugging purpose (higher level are reserved for samba developers).
Changes made on server not visible to clients
We must disable the opportunistic locks [9], [10], [11].
Add to each share configuration in file /etc/samba/smb.conf:
[shareXYZ]
....
oplocks = False
level2 oplocks = False
kernel oplocks = yes
Mount errors
mount error(13): Permission denied
- We have the following error when mounting a share with
sudo mount -t cifs //mnemosyne/movies /mnt/any -o rw,username=movies
mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
- dmesg:
[20662.908952] CIFS VFS: Send error in SessSetup = -13 [20662.909123] CIFS VFS: cifs_mount failed w/return code = -13
- The fix is to add option sec=lanman (or sec=ntlm, or sec=ntlmv2).
- This is apparently due to /proc/fs/cifs/SecurityFlags being set to 0x81 instead of 0x07 in previous version of Ubuntu. See bug 1113395 and https://www.kernel.org/doc/readme/fs-cifs-README.
sudo mount -t cifs //mnemosyne/movies /mnt/any -o rw,username=movies,sec=ntlm
mount error(5): Input/output error
- Solution: Use the server IP address instead of server name:
sudo mount -v -t cifs -o noperm,iocharset=utf8,credentials=/etc/auto.smb.st.peetersm //docs.zav.st.com/MinaShare /mnt/any
# mount error(5): Input/output error
# Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
sudo mount -v -t cifs -o noperm,iocharset=utf8,credentials=/etc/auto.smb.st.peetersm //10.136.3.100/MinaShare /mnt/any
- 2nd solution: make sure the hostname used is correct (no typo!). Sometimes detecting typos is really hard because how weird
- 3rd solution: Verify hosts entry (first name must be the canonical name, followed by possible aliases).
Error X and Y are the same file
Trying to rename or copy files give the following error [12]
mv /mnt/Files_Apps/temp/IMG_5624.MOV "/mnt/Files_Apps/2016-07-19 21 39 21.MOV"
# mv: '/mnt/Files_Apps/temp/IMG_5624.MOV' and '/mnt/Files_Apps/2016-07-19 21 39 21.MOV' are the same file
The fix is to disable caching with cache=none
in the mount options [13].
Troubleshooting tips
- Try using IP address instead of name.
- Try mount
-verbose
option. - Try network mapper in Nautilus application. This may give a different error code or more detailed error.
- Try a samba client in user-land (like gigolo or smbfs) to see if problem is in the kernel.
- Try
smbclient
.
smbclient -L someserver -m NT1
- Enable logging level 3 and analyze the log.
- Read Troubleshooting Samba.
References
- ↑ DCE RPC, i.e. Distributed Computing Environment and Remote Procedure Call