Samba cheat sheet – Ubuntu

Samba. Whopping goodness. Here are a few notes that help in the setup – from user creation, to directory settings etc

This blog post contains a few lessons learnt and thus by extension a migration plan from a Windows file server to a Samba-based one running on Ubuntu 10.04 LTS. I look at users, system vs smbpasswd user creation and linking (set that up in Webmin before you start, as well as for groups), share setups, general permissions and some very basic troubleshooting (as there weren’t many troubles, just headaches.)

Users

Create the users on your system. Ideally, put them all into the same base group with a

/bin/false

shell or similar (unless you’re allowing login) to allow group-based read-back of files they create. On home shares, just fix permissions to a 0700 or similar to restrict access to their files.

You can create a batch of users using this script – or just use the highlighted line if you’ve already created and linked the users in batch creation before (thanks to Matthew Daubenspeck for the script below)

If you have already batch-created users in webmin or the like, you may need to enable the user (smbpasswd -e USERNAME); otherwise, add them (smbpasswd -a USERNAME)

# cat importusers.sh
#!/bin/bash
datafile=userdata
line_count=`cat $datafile | wc -l`
filesystem="/dev/sda1"

for data in `seq $line_count`
do
  read data
  username=`echo $data | awk -F" " '{print $1}'`
  password=`echo $data | awk -F" " '{print $2}'`
  /usr/sbin/adduser -m -s /bin/false -p $password $username
  (echo $password; echo $password) | /usr/bin/smbpasswd -s -a $username
  /usr/sbin/setquota -u $username 0 1048576 0 0 -a $filesystem
  /bin/chmod 700 /home/$username
done < "$datafile"

# cat userdata
user1 password1
user2 password2
etc etc

Listing Users

Listing users is simple, too:

To check the users on the system: getent passwd
To check the groups overview: getent group
Or, to check which users are in a group of name GROUPNAME: apt-get install members followed by members GROUPNAME
Alternatively, to check which groups a user is part of: groups USERNAME

For online password change by the user, install usermin (should just be a dpkg -i usermin if you followed the webmin install script posted elsewhere on this blog)

SAMBA

A basic setting for configuration for a standalone Windows network – your mileage may vary:

[global]
log file = /var/log/samba/log.%m
load printers = no
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
socket options = SO_KEEPALIVE TCP_NODELAY IPTOS_LOWDELAY
obey pam restrictions = yes
ntlm auth = yes
create mask = 0644
map to guest = bad user
domain master = Yes
local master = Yes
encrypt passwords = yes
passwd program = /usr/bin/passwd %u
passdb backend = tdbsam
wins support = true
dns proxy = no
netbios name = SERVERNAME
server string = %h server (Samba, Ubuntu)
unix password sync = yes
workgroup = WORKGROUP
debug level = 3
os level = 33
directory mask = 0755
syslog = 0
security = user
panic action = /usr/share/samba/panic-action %d
usershare allow guests = yes
max log size = 1000
pam password change = yes

Once you’ve got that in place, you may want to create your shares, similar to the below, and replace SHARE NAME and GROUP NAME as appropriate:

[SHARE NAME]
writeable = yes
path = /path/to/data
force group = GROUPNAME
revalidate = yes
comment = Comment
valid users = @GROUPNAME
create mode = 0660
directory mode = 0770

Groupname is the group that has rights to the directory. Important note, even if all works out in

testparm

(which you can use to test the settings and read back status), and you’re still getting access denied errors, and you have enabled, and linked, the users — you may be getting errors like:

  • check_ntlm_password:  Authentication for user failed with error NT_STATUS_WRONG_PASSWORD
  • fcntl_lock: fcntl lock gave errno 11
  • failed to find user in passdb backend
  • rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)

(well put on www.brennan.id.au):

You may have successfully created all of your shares for the Samba server and they may all be publicly accessible to the client workstation, however you may still be getting “Access Denied” errors on your Windows workstation. This normally occurs when the underlying file and directory permissions on the Linux filesystem are not appropriate to what the user has been granted.

The [Shared] section which we declared earlier in our set up has been configured to allow full permissions for everyone to access the shared resource. For Samba to fully support the requirements here, the “/samba/shared” directory must be assigned the directory permissions of 777, the default directory permissions of 755 would not allow all world users to create new files, regardless of the two “mask” declarations.

Similary the [SHARE NAME] section is only available to valid users of the UNIX “GROUPNAME” group and should therefore have the directory permissions of 770 assigned to the “/path/to/data” directory. The group allocation should also be changed with the “chgrp GROUPNAME /path/to/data” command, this allows the valid users to access the resource with the GROUPNAME group permissions.

The incorrect assignment of file and directory permissions are the main reason why “Access Denied” errors occur when accessing the system with a valid user account. You should always confirm what permissions a resource is to be allocated, and ensure the “[section]” and filesystem permissions are assigned correctly.

Also have a look at the Samba documentation and the Ubuntu Community Help.

Oh, and for the rlimit_max error above:

add

*                -      nofile           16384

to

/etc/security/limits.conf

Your mileage may vary… but you knew that already!

Oh, and to backup, rsync is now your friend again!! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *