Samba

From miki
Jump to navigation Jump to search

This page is part of the Linux Disk Management pages.

References

Packages

In Ubuntu, install the packages samba and smbfs.

Samba Client

Linux

  • To mount a samba share in Linux (see [1]):
mkdir -p /windows/winshare
mount -t cifs //winmachine/testshare /windows/winshare
mount -t cifs -o username=user,password=secret //winmachine/testshare /windows/winshare
sudo mount -t cifs -o username=baddreams,uid=1000,gid=124 //phoenix/D$ /net/phoenix/d
  • Better always specify option sec=[lanman,ntlm,ntlmv2] to avoid pernission denied error (see bug 1113395):
sudo mount -t cifs -o username=baddreams,uid=1000,gid=124,sec=ntlm //phoenix/D$ /net/phoenix/d
  • Or make it an entry in /etc/fstab. Note that gid=124 refers to group sambashare.
//mnemosyne/backup /net/mnemosyne/backuprw	cifs	username=backup,uid=999,gid=124


Share with passwords
  • There are 4 possibilities to give the password: by the command-line, by env. var PASSWD, by a credential file or interactively.
  • TIP! To pass the password via env. var PASSWD, first make sure that file /etc/sudoers contains the following:
Defaults    env_keep += "PASSWD"
Then the password can be passed to mount as follows:
stty -echo
read -p "password for user $USER@$SHARE? " PASSWD
stty echo
echo
export PASSWD
sudo mount -t cifs noperm,iocharset=utf8,uid=$(id u),forceuid,gid=$(id g),forcegid,username=$USER $SHARE /smb

Windows

Use the net use command to mount network samba share. 

net use G: \\localserver\beq06659 /USER:WORKGROUP\beq06659           # Better specify domain name to override any corporate domain

CAREFUL CORPORATE USER If you get the following error message although you are giving the correct password, you might need to specify the user DOMAIN as well (as specified in /etc/samba/smb.conf). 

The specified network password is not correct.

Samba Server

Installation

(From [2])

  • Install Samba
sudo apt-get install samba smbfs
  • Edit the configuration file /etc/samba/smb.conf
    • Uncomment the line security = user, and add link to smbusers file
security = user
username map = /etc/samba/smbusers             # ... does not seems mandatory though
  • If you are still using NTLM v1, you need to add this [3]:
  ntlm auth = yes
  • Add the user
sudo smbpasswd -a beq06659
  • Create the user mapping file that maps samba user to linux user in file /etc/samba/smbusers:
<linuxuser>="<sambauser>"
  • Uncomment the section corresponding to the shares you want to enable:
[homes]
   comment = Home Directories
   browseable = no
 
[c]
   comment = Windows Drive C
   browseable = yes
   path = /win/c
   printable = no
   guest ok = no
   read only = yes
   create mask = 0644
   directory mask = 0755

[d]
   comment = Windows Drive D
   browseable = yes
   path = /win/d
   printable = no
   guest ok = no
   read only = yes
   create mask = 0644
   directory mask = 0755
  • Don't forget to open the ports on your firewall !!!
  • Restart the samba daemon
sudo /etc/init.d/smbd restart

Server Firewall Settings

The following ports must be opened ([4], [5]):

Service Port Prot Description
netbios-ns 137 UDP NetBIOS Name Service
netbios-dgm 138 UDP NetBIOS Datagram Service
netbios-ssn 139 TCP NetBIOS Session Service
microsoft-ds 445 TCP Microsoft Directory Service

As advised here, port 135/tcp[1] is better left closed (was already exploited by worms), without causing defect.

Share without user/password

Reference: [6].

The idea is to open up the samba shares to all computers on a private network (by restricting network interfaces).

  • Edit /etc/samba/smb.conf. Set interfaces to lo and
interfaces = lo eth1
bind interfaces only = true
  • Make sure that security is set to share (not user), and that guest account is enabled:
security = share
...
guest account = nobody
  • Create a share accessible to guest users:
[Guest Share]
    comment = Guest access share
    path = /path/to/dir/to/share
    browseable = yes
    read only = yes
    guest ok = yes
  • Test that configuration is good with testparm:
testparm
  • Restart samba:
sudo /etc/init.d/samba reload

Mount as User

To mount a samba share as a regular user (i.e. without sudo), the following conditions must be met:

  • /bin/mount, /bin/umount, /sbin/mount.cifs, /sbin/umount.cifs must be setuid (sudo chmod +s ...)
  • share point must be owned by the user (chown username mountpoint).
    • May be optional, but does not hurt, set group of mount point to sambashare, and verify that the user is in that group
  • mount spec in fstab must contain the option user (or users to let any user unmount).
    • It seems that option suid should be present as well, but does not seem to do anything good to me.
//mnemosyne/public /net/mnemosyne/publicrw	cifs	noauto,users,guest	0 0
//mnemosyne/public /net/mnemosyne/public	cifs	noauto,users,ro,guest,suid 	0 0

Tips

Auto-mount / unmount shares with systemd

This tip is similar to using autofs. However it also enables to unmount automatically shares, so that there so no longer any 90 seconds timeout at shutdown [7]

Add to /etc/fstab: 

//10.0.0.2/Penny /mnt/penny cifs noauto,x-systemd.automount,x-gvfs-hide,x-systemd.device-timeout=10,x-systemd.idle-timeout=1min,credentials=/home/name/.smbcredentials,users,_netdev 0 0

After that, reload daemon with systemctrl daemon-reload (or reboot).

This will auto-unmount the shares after 60s.

Auto-unmount shares on shutdown

This tip requires NetworkManager [8].

Create a file /etc/NetworkManager/dispatcher.d/pre-down.d/mount_cifs: 

#!/bin/bash
umount -a -l -t cifs

autofs mount tips

  • echo_interval=4
Set also timeout interval to an unresponsive server.

Troubleshooting

Logging

It seems that by default, logging is not enabled (?!?) on the samba, which is not very handy to troubleshoot connection issue.

To enable, add to /etc/samba/smb.conf: 

[global]
   log level = 3
   log file = /var/log/samba/log.%m

Log level 3 already generates a lot of logging information, and should be used only for debugging purpose (higher level are reserved for samba developers).

Changes made on server not visible to clients

We must disable the opportunistic locks [9], [10], [11].

Add to each share configuration in file /etc/samba/smb.conf: 

[shareXYZ]
   ....  
   oplocks = False
   level2 oplocks = False
   kernel oplocks = yes

Mount errors

mount error(13): Permission denied
  • We have the following error when mounting a share with sudo mount -t cifs //mnemosyne/movies /mnt/any -o rw,username=movies
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
  • dmesg:
[20662.908952] CIFS VFS: Send error in SessSetup = -13
[20662.909123] CIFS VFS: cifs_mount failed w/return code = -13
  • The fix is to add option sec=lanman (or sec=ntlm, or sec=ntlmv2).
This is apparently due to /proc/fs/cifs/SecurityFlags being set to 0x81 instead of 0x07 in previous version of Ubuntu. See bug 1113395 and https://www.kernel.org/doc/readme/fs-cifs-README.
sudo mount -t cifs //mnemosyne/movies /mnt/any -o rw,username=movies,sec=ntlm
mount error(5): Input/output error
  • Solution: Use the server IP address instead of server name:
sudo mount -v -t cifs -o noperm,iocharset=utf8,credentials=/etc/auto.smb.st.peetersm //docs.zav.st.com/MinaShare /mnt/any
# mount error(5): Input/output error
# Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
sudo mount -v -t cifs -o noperm,iocharset=utf8,credentials=/etc/auto.smb.st.peetersm //10.136.3.100/MinaShare /mnt/any
  • 2nd solution: make sure the hostname used is correct (no typo!). Sometimes detecting typos is really hard because how weird
  • 3rd solution: Verify hosts entry (first name must be the canonical name, followed by possible aliases).

Error X and Y are the same file

Trying to rename or copy files give the following error [12] 

mv /mnt/Files_Apps/temp/IMG_5624.MOV "/mnt/Files_Apps/2016-07-19 21 39 21.MOV"
# mv: '/mnt/Files_Apps/temp/IMG_5624.MOV' and '/mnt/Files_Apps/2016-07-19 21 39 21.MOV' are the same file

The fix is to disable caching with cache=none in the mount options [13].

Troubleshooting tips

  • Try using IP address instead of name.
  • Try mount -verbose option.
  • Try network mapper in Nautilus application. This may give a different error code or more detailed error.
  • Try a samba client in user-land (like gigolo or smbfs) to see if problem is in the kernel.
  • Try smbclient.
smbclient -L someserver -m NT1

References

  1. DCE RPC, i.e. Distributed Computing Environment and Remote Procedure Call
Retrieved from "https://miki.immie.org/mediawiki/index.php?title=Samba&oldid=13672"