How to mount samba share on Linux client

Samba can be used to allow connectivity between Linux and Windows. Samba can be used to share printers, share directories, connect to an windows domain, and many other useful features.

In order to mount your samba share to your Linux client open up the /etc/fstab file and insert the following line into this file

//172.19.12.137/Music /mnt/samba cifs credentials=/etc/accessfile 0 0

Now create a new file: /etc/accessfile with following contents

username=Suhail
password=some_password

Save the above file and restart your Linux client (or type command mount -a),
after restart you should now able to access the share content from the samba server
under /mnt/samba directory.

This is preferred over having passwords in plaintext in a shared file, such as /etc/fstab. Be sure to protect any credentials file properly and also note that there should not be any extra space in this file.

It there are any space in this credentials file you might get the following error on trying to mount the file system

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

Read More

How to Convert smbpasswd to tdbsam on Samba

The latest release of Samba offers many new features including new password database backends not previously available. Samba version 3.0.0 fully supports all databases used in previous versions of Samba. However, although supported, many backends may not be suitable for production use.

The tdbsam backend provides an ideal database back-end for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. The tdbsam back-end includes all of the smbpasswd database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003-based systems.

The tdbsam backend is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns.

Convert smbpasswd to tdbsam: enter as root on the command line:

      pdbedit -i smbpasswd:/etc/samba/smbpasswd -e tdbsam:/etc/samba/passdb.tdb

      And ensure the global section of smb.conf has such an entry:

      passdb backend = tdbsam

Read More

Creating Recycle Bin for Samba storage

Samba is mainly used to share the files between Linux and windows and many times it happens that user deletes the file from the samba server and later wants to get back deleted files which is not possible with the default configuration of samba server.

The best option is to have a "Recycle bin" for every users on the samba server.
Here is an example of modifying the home directories of your users in samba configuration file

[homes]
comment = Home Directory
valid users = %S
browsable = no
guest ok = no
read only = no
vfs object = recycle
recycle:repository = RecycleBin
recycle:keeptree = yes
recycle:exclude = *.tmp, *.bak

The “vfs object” line calls in the plug-in that enables recycle bin capability.  On the other lines, you’re setting the name of the recycle bin directory, telling Samba to preserve the whole structure of any directories that a user may delete, and finally, telling it to not keep certain types of files.

Read More

Transfer Linux user to Samba users

To configure Samba on your Red Hat Linux system to use encrypted passwords, follow these steps:

1. Create a separate password file for Samba. To create one based on your existing /etc/passwd file, at a shell prompt, type the following command:

# cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

If the system uses NIS, type the following command:

# ypcat passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

The mksmbpasswd.sh script is installed in your /usr/bin directory with the samba package.

2. Change the permissions of the Samba password file so that only root has read and write permissions:

# chmod 600 /etc/samba/smbpasswd

3. The script does not copy user passwords to the new file, and a Samba user account is not active until a password is set for it. For higher security, it is recommended that the user's Samba password be different from the user's Red Hat Linux password. To set each Samba user's password, use the following command (replace username with each user's username):

# smbpasswd username

4. Encrypted passwords must be enabled in the Samba configuration file. In the file smb.conf, verify that the following lines are not commented out:

encrypt passwords = yes

smb passwd file = /etc/samba/smbpasswd

5. Make sure the smb service is started by typing the command service smb restart at a shell prompt.

Read More

Sync users' Samba passwords with their system passwords

The pam_smbpass PAM module can be used to sync users' Samba passwords with their system passwords when the passwd command is used. 

If a user invokes the passwd command, the password the uses to log in to the system as well as the password he must provide to connect to a Samba share are changed.

To enable this feature, add the following line to /etc/pam.d/system-auth 

below the pam_cracklib.so invocation:

password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass

Read More

Sync Samba and Unix password

The pam_smbpass PAM module can be used to sync users’ Samba passwords with their system passwords. 

If a user invokes the passwd command, the password he uses to log in to the system as well as the password he must provide to connect to a Samba share are changed.

To enable this feature, 

add the following line to /etc/pam.d/system-auth below the pam_cracklib.so invocation:

password required /lib/security/pam_smbpass.so nullok use_authtok try_first_pass

Read More

Samba Server As Primary Domain Controller

Server

a.Operating System :- Fedora-15

b.Samba Server :- Samba version 3.0.23c-2 (included in Fedora Dvd)

Computer Name:-server 

Comment :- Domain Controller

Domain Name :- rizvi.com

Domain admin Name :- root
Ip Address :- 192.168.0.10

Client

a.Operating System :- Windows Xp Sp2

Computer Name :- wxp
Domain Name :-     rizvi.com
Ip Address :- 192.168.0.20

Configuration

Server

1.  

vi /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain    localhost
192.168.0.10    server

2.

vi /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=server

3.

vi /etc/sysconfig/network-scripts/ifcfg-eth0

# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.0.255
HWADDR=00:0C:29:9E:C2:10
IPADDR=192.168.0.10
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes

4.

vi /etc/samba/smb.conf

[global]

workgroup = rizvi.com

netbios name = Server
server string = 

security = user
encrypt passwords = yes

domain logons = yes


local master =yes
os level = 65
preferred master = yes


domain master = yes

wins support = yes

[homes]
   comment = Home Directories
   browseable = no
   writeable = yes

5.

add a group for Clents in /etc/group by typing:-

 groupadd -r DomainClientComputers

Register in that group Machine name to be join  in /etc/passwd by typing:-

 useradd -r -g DomainClientComputers -d /dev/null -s /dev/null vxp$

Add Machine Nane in /etc/samba/smbpasswd

 smbpasswd -a -m vxp

6.
Add root as a domain admin purpose in  /etc/samba/smbpasswd

smbpasswd -a root

7.

adduser sohail

Add sohail as a client user in /etc/samba/smbpasswd

smbpasswd -a sohail

8.

service smb restart

9.
chkconfig smb on

Read More

Mount Samba share using fstab

To mount a Samba share when Linux system comes up after reboot

edit the /etc/fstab file and put entry as follows for your Windows/Samba share:

//ntserver/share /mnt/samba smbfs username=username,password=password 0 0

For example,
if you want to mount a share called //ntserver/docs then you need to write following entry in /etc/fstab file:

//192.168.0.1/share /mnt/samba smbfs username=sohail,password=passwd123 0 0

Read More

Using Samba As File Server in Linux with guest(Anonymous) login and read-write access

1. Create a folder for share purpose

    mkdir sharedrive

2.Give full access to that folder

   chmod 777 sharedrive

3.Edit smb conf file

 vi /etc/samba/smb.conf

[global]

# workgroup = NT-Domain-Name or Workgroup-Name

   workgroup = WORKGROUP

                                                                               

# server string is the equivalent of the NT Description

   server string = Samba Server

                                                                            

map to guest = bad user

                                                                              

encrypt passwords = yes

lanman auth = Yes

                                                                               

[Guest Share]

       comment = Guest access share

       path = /sharedrive

       guest ok = yes

       writeable = yes

       create mask = 777

4.Test smb.conf file

 testparm

5.Restart the service

service smb restart

6.chkconfig smb on

Read More

Install Samba Server on Red Hat Enterprise Linux/CentOS/Scientific Linux 6

Recently the latest version of Scientific Linux 6 was released. Scientific Linux is a distribution which uses Red Hat Enterprise Linux as its upstream and aims to be compatible with binaries compiled for Red Hat Enterprise. I am really impressed with the quality of this distro and the timeliness with which updates and security fixes are distributed. Thanks to all the developers and testers on the Scientific Linux team!

In this post I will discuss installing Red Hat Enterprise Linux/CentOS/Scientific Linux 6 as a Samba server. The instructions should also be relevant to other Linux distros including CentOS. This example will rely on a local user database as the mechanism to provide security. In future posts I may discuss more complex scenarios including integrating the Samba server into Windows domains and Active Directory.

Let’s start off by installing the Samba server package and its dependencies:

# yum -y install samba

It is a good idea to set up a distinct group to allow access to the directory we will share. I will specify a group ID to prevent any overlap with the default groups created when individual users are added, which on most Linux distros these days start at 500 or 1000.

# groupadd -g 10000 fileshare

Now we will create a directory that will host our Samba share:

# mkdir /home/data

We need to modify the permissions on the directory to allow write access for users in our new group:

# chgrp fileshare /home/data
# chmod g+w /home/data

SELinux

UPDATE (5/10/2011): Recently I was setting up a Samba share on an existing file system that already contained files and I was unable to get SELinux configured to allow Samba to function correctly. This occurred even with using the -R option specified below to re-curse and relabel the existing files. So be aware that you may have problems like I did and you may need to set SELinux to permissive or disabled in the “/etc/selinux/config” file. In my case there were no denials logged in the “/var/log/audit/audit.log” so it was very difficult to troubleshoot.

Now we need to modify SELinux to allow access privilege to our new Samba share. By default this is denied and users will be unable to write files to the share. Details of the SELinux configuration needed can be found in the default config file “/etc/samba/smb.conf”.

Here are some good references regarding SELinux:

http://www.crypt.gen.nz/selinux/disable_selinux.html

http://wiki.centos.org/HowTos/SELinux

Now run the SELinux config command to allow user access to the Samba share directory. New directories and files created under our Samba share directory will be automatically inherit the SELinux context of the parent directory.  Use the -R option with “chcon” to re-curse if there are existing files in the directory you are sharing:

# chcon -t samba_share_t /home/data

Now we will create a user to access the Samba share. The command options specify to add the user to a supplementary group “fileshare”, do not create a home directory, and set the login shell to “/sbin/nologin” to prevent logins to the console. We only want the user access to the Samba file share:

# useradd -G fileshare -u 1000 -M -s /sbin/nologin aaron

Assign a password to this user, although the user shouldn’t have any console login privileges:

# passwd aaron

Now we need to set up our Samba configuration file.  I will move the existing config file and create a fresh copy to be more concise. But don’t delete it, as it contains a good amount of documentation so it is a handy resource if you want to add directives later.

Move the existing file and edit the new file:

# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak

# vi /etc/samba/smb.conf

Now edit the new “smb.conf” file and add parameters like this:

[global]
workgroup = WORKGROUP
server string = samba
security = user
passdb backend = tdbsam
load printers = no

[data]
comment = data directory
path = /home/data
writeable = yes
public = no

The “global” section contains directives that apply to the whole Samba instance. We can define the workgroup or domain this server is a member of, what security mechanism to use (user, share, domain), and the password database type “tdb”. The old “smbpasswd” password file is no longer recommended for use on new installations. The “load printers” directive I set to “no” because I won’t be using the CUPS printing system and connection refused errors will show up in “/var/log/messages” unless this is specified.

The 2nd section (and on if you have more than one share) has details on each Samba file share. In this case the share is named “data”, we can define if it is writeable, and “public” defines whether users not in the Samba password database can access the share.

We should test the parameters of the “smb.conf” file to make sure there are no errors:

# testparm

Once you’ve run the “testparm” command and received no errors in the output you should be set to go. You may notice that some of the parameters won’t show in the output, this is fine and indicates that some are the Samba default. We’ll now make the Samba password for the user we are adding:

# smbpasswd -a aaron
New SMB password:
Retype new SMB password:

I received a bunch of output after entering the password that you can see below. From what I can tell this not a problem and it printed a message at the bottom that the user was added. Later when I fired up Samba and connected to the share with this user everything worked normally.

tdbsam_open: Converting version 0.0 database to version 4.0.
tdbsam_convert_backup: updated /var/lib/samba/private/passdb.tdb file.
account_policy_get: tdb_fetch_uint32 failed for type 1 (min password length), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 2 (password history), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 3 (user must logon to change password), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 4 (maximum password age), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 5 (minimum password age), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 6 (lockout duration), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 7 (reset count minutes), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 8 (bad lockout attempt), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 9 (disconnect time), returning 0
account_policy_get: tdb_fetch_uint32 failed for type 10 (refuse machine password change), returning 0
Added user aaron.

To confirm that the user was added to the Samba tdb database use the “pdbedit” command:

# pdbedit -w -L

Now we need to make changes to the “iptables” firewall startup config file. Backup the file and edit:

# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak

# vi /etc/sysconfig/iptables

Add the first line accepting packets on TCP/445. Be sure and add it above the last line of the “input” chain with the “Reject” target, that way the rule will be processed.

-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited


Now you can edit the “smb” daemon to start automatically, then start “smb”:

# chkconfig smb on
# service smb start

If you now switch over to a Samba/SMB client you should now be able to map a drive or browse the shares on the Samba server. If you want to browse the shares available you will need to manually enter something like “\\server1″ or “\\192.168.100.1″ without quotes in the address bar of Windows Explorer, the server won’t appear in Network Places. To enable full network browsing more configuration would be needed and you would probably need to enable the “nmb” daemon.

Read More