Linux/Samba

From Omnia
Jump to navigation Jump to search

Subpage Table of Contents

Samba Configuraiton smb.conf

smb.conf

Testing Configurations

Test Your Config File with testparm

# test configuration
testparm
# specify configuration file
testparm /etc/samba/smb.conf
# don't prompt for enter key
testparm -s

Debian testparm is in the samba-common-bin package:

apt-get install samba-common-bin

Test Password

smbclient //server/share -U [user]

It will then prompt for password and either give you a "smb: \>" prompt or a "NT_STATUS_LOGON_FAILURE"

Show all configuration parameters

Show parameter options:

testparm --show-all-parameters

Show configured parameters:

testparm -v

Minimal Samba Configuration

A minimal smb.conf:

[global]
  workgroup = WORKGROUP
  netbios name = MYSERVER
[share1]
  path = /tmp
[share2]
  path = /my_shared_folder
  comment = Some random files

Simple File Server

See Linux/Samba/Simple_File_Server for more complete version

[global]
    netbios name = ISO
    workgroup = WORKGROUP
    server string = ISO File Server

    security = user
    passdb backend = tdbsam
  
    # Disable printers:
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    show add printer wizard = no

[iso]
    comment = ISO Images
    path = /data/iso
    browseable = yes
    guest ok = no
    writable = yes
    valid users = iso
    create mask = 0660
    directory mode = 0770

Guest File Server

see Linux/Samba/Public_Share

Disable Printers

Novice question - How to completely disable printing and /etc/printcap errors:

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

Read Only Share

[movies]
  path = /mythtv/movies
  guest ok = yes
  read only = yes
  valid users = kenneth bethany

Samba Commands

Linux

Searches for a master browser by looking up the NetBIOS name name with a type of 0x1d:

nmblookup  -M -- -

# show netbios names
nmblookup  -M -S -- -

Get machine IP address via NetBIOS lookup:

nmblookup <NETBIOS_NAME>

Get NetBIOS name from machine IP address:

nmblookup -A [IP_ADDRESS]

Report on current Samba connections:

smbstatus

Look at what services are available on a machine (password not always required, if anonymous connection allowed):

smbclient -L <NETBIOS_NAME>
smbclient -W [WORKGROUP/DOMAIN] -U [USER] -L [NETBIOS_NAME]

Windows

nbtstat

"Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP)."

Lists the remote machine's name table given its name:

nbtstat -a <NETBIOS_NAME>
nbtstat -a trogdor

Lists local NetBIOS names:

nbtstat -n

This indicates that the server is currently acting as the local master browser for the current subnet:

..__MSBROWSE__.<01>  GROUP       Registered

NET CONFIG displays configuration information of the Workstation or Server service. [1]:

# list workstation configuration information
net config workstation

# list server configiration information
net config server

# this appears to be an old command, but now aliases to 'workstation'
net config rdr

The registry can also be checked for browser information. [2]:

\HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Browser \Parameters

View browselist:

net view

View remote available shares:

net view \\<NETBIOS_NAME>

Connect to a share:

net help use
net use k: \\data\files /user:kenneth

Master Browser

Samba Network Browsing

Become the domain master browser. There can only be one domain master browser per workgroup name.

[global]
domain master = Yes
local master = Yes
preferred master = Yes
os level = 35

Become a local master browser:

[global]
domain master = no
local master = Yes
preferred master = Yes
os level = 35

Never be Master Browser:

[global]
domain master = no
local master = no
preferred master = no
os level = 0

Performance

TCP No Delay:

socket options = TCP_NODELAY
"The socket option TCP_NODELAY is the one that seems to make the biggest single difference for most networks. Many people report that adding socket options = TCP_NODELAY doubles the read performance of a Samba drive. The best explanation I have seen for this is that the Microsoft TCP/IP stack is slow in sending TCP ACKs."

Source: Samba Chapter 45. Samba Performance Tuning

NTLMv2 and Vista

"support for NTLMv2 in Samba wasn’t fully developed until Samba v3.0.21." [3]

"3.0.21{a,b,c} - Complete NTLMv2 support by consolidating authentication mechanism used at the CIFS and RPC layers." [4]

Thread:

"I'm pretty sure it's been in since the first 3.0 release, but it has improved in subtle ways, right up to the fixes for security=domain without winbind in the latest release."

Thread:

"...This is *THE WORST* way to handle this. You are lowering the security on Vista instead of raising the security of Samba.

You are better off enabling NTLMv2 support in Samba. Granted you need to have Samba v3+ in order to do this. As far as I know 10.4.x is running Samba 3.

Add 'client NTLMv2 auth = Yes' in the [global] section."

Result: This did not appear to work for me.

Get Vista and Samba to work:

To get Vista to work with Samba follow the simple instructions below:

  1. Open the Run command and type "secpol.msc".
  2. Press "continue" when prompted by Vista.
  3. Click on "Local Policies" --> "Security Options"
  4. Navigate to the policy "Network Security: LAN Manager authentication level" and open it.
  5. By default Windows Vista sets the policy to "NTVLM2 responses only". Change this to "LM and NTLM – use NTLMV2 session security if negotiated".

Result: These steps do work for me.

Thread:

Supposedly Samba 3 supports NTLMv2

Samba 3 and NTLMv2 support Thread:

Says this will enable NTLMv2:
[Global]
lanman auth = no
ntlm auth = no

Linux bindings check

Next you need to be sure the library needed to run the winbindd daemon through nsswitch, libnss_winbind.so, is in the proper location, which is /lib. By default, this should already be there unless you installed Samba from source. If it's not there, copy the file from the samba/source/nsswitch directory where your Samba source is located.

I also found it necessary to make the following symbolic link:

root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

Without this symbolic link, some of the commands used to test winbind will work and some won't.

The libraries needed by the winbindd daemon will be automatically entered into the ldconfig cache the next time your system reboots, but it is faster (and you do not need to reboot) if you do it manually now:

root# /sbin/ldconfig -v | grep winbind

This makes libnss_winbind available to winbindd and echoes back a check to you of:

libnss_winbind.so -> libnss_winbind.so 

Source: Using Winbind with Samba Domain Member Servers - JustLinux Forums

smbclient

List shares on windows machine or samba server:

smbclient -L windows_box

Send message from Linux

echo "This is a test" | smbclient -M <computer> -U <any_name>

Connect to samba server (using ftp like commands)

samba -U [user] \\\\machine\\share\\
samba -U [user] //machine/share/

Samples

See ...

Change Windows domain password from the command line

From Windows:

# change local password
net user <username> *
net user <username> <password>
# change domain password (need to be logged in to domain)
net user myuser * /domain
net user myuser <password> /domain

Linux:

smbpasswd -r <DOMAIN_CONTROLLER> -U <USERNAME>

Changing a Password from a Remote Windows Computer:

  1. Press CTRL+ALT+DEL to bring up the Windows Security dialog box.
  2. Press the Change Password button.
  3. Enter the User name whose password you wish to change.
  4. In the From dialog box, click either the computer name or domain name in the drop-down list box, or type the computer name or domain name that contains the User Account Database where the user name exists.
  5. Type the appropriate password in the Old Password, New Password, and Confirm New Password box.
  6. You should receive a message indicating "Your password has been changed."

References:

Notable Configuration Options

show add printer wizard:

"With the introduction of MS-RPC based printing support for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will appear on Samba hosts in the share listing. Normally this folder will contain an icon for the MS Add Printer Wizard (APW). However, it is possible to disable this feature regardless of the level of privilege of the connected user.
Default: show add printer wizard = yes 

time server:

"This parameter determines if nmbd(8) advertises itself as a time server to Windows clients."
Default: time server = no 

Issues

PAM control

PAM authentication will not work with Samba as it requires the use of clear text passwords, which are no longer supported with Windows NT and above.


encrypt passwords:

"This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed." [5]


Chapter 28. PAM-Based Distributed Authentication:

"This chapter should help you to deploy Winbind-based authentication on any PAM-enabled UNIX/Linux system. Winbind can be used to enable user-level application access authentication from any MS Windows NT domain, MS Windows 200x Active Directory-based domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access controls that are appropriate to your Samba configuration. "

getpeername failed

==> messages <==

Feb 25 09:55:22 hsg-ftp smbd[19348]:   getpeername failed. Error was Transport endpoint is not connected
Feb 25 09:55:22 hsg-ftp smbd[19348]: [2010/02/25 09:55:22, 0] lib/util_sock.c:read_data(534)
Feb 25 09:55:22 hsg-ftp smbd[19348]:   read_data: read failure for 4 bytes to client 0.0.0.0. Error = Connection reset by peer

==> samba/smbd.log <==

[2010/02/25 09:55:22, 0] lib/util_sock.c:get_peer_addr(1224)
  getpeername failed. Error was Transport endpoint is not connected
[2010/02/25 09:55:22, 0] lib/util_sock.c:get_peer_addr(1224)
  getpeername failed. Error was Transport endpoint is not connected
[2010/02/25 09:55:22, 0] lib/util_sock.c:read_data(534)
  read_data: read failure for 4 bytes to client 0.0.0.0. Error = Connection reset by peer

A Ranger’s Tale » Samba error: getpeername failed


Lately on the work server the Samba logs have been getting filled up with errors that look like the following:

Apr 13 09:23:41 cvsserver smbd[11947]: getpeername failed. Error was Transport endpoint is not connected

I was at a loss for what this meant. There was no evident loss of service to the Windows clients, and no other obvious problems. The setup is quite simple, with only one share established. After searching the Internet, I believe I have discovered a workaround for this problem–but not without drawbacks.

According to Mark Orenstein, Windows XP Pro attempts to connect to the share on ports 445 and 139, and “whichever port responds first is used for further communication.”. Mark therefore suggested disabling port 445 via a simple iptables rule:

iptables -I INPUT 1 -p tcp --dport 445 -j DROP

This seems to circumvent the problem and prevent the error messages, though it is not a real fix. In a followup to Mark, Gerald Drouillard gave the following warning:

   Be careful running this on a Samba 3.x PDC with other samba servers on the network. It appears that you will loose the ability for windows clients to map drives to the other non-PDC servers on the network from my test today.

My Samba server is not a PDC (and there aren’t any other Samba machines on the network anyway) so this is not an issue for me, but it is something to be aware of.


Samab errors (getpeername failed. Error was Transport endpoint is not connected) (write_socket_data: write failure. Error = Connection reset by peer) : error, endpoint, transport, getpeername, connected:

try adding the following in your smb.conf file's global section.

smb ports = 139

then restart smb.

Try to add:

use sendfile = no

win 7 smb_pwd_check_ntlmv1

Error:

[2009/09/05 12:22:15,  0] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(54)
  smb_pwd_check_ntlmv1: incorrect password length (68)

Solution:

  • Don't use security=share, this isn't supported. Use security=user instead, but breaks "guest" accounts.

References:

"I very much doubt security=3Dshare works with ntlmv2. Please use security=3Duser."

"Thanks Volker - that did the trick! I'd used security=share as the man pages suggested that this was the appropriate setting when most shares were meant to be for guest access, and says it is tricky providing guest access with security=user. In fact, simply setting the "map to guest" parameter to "Bad User" does the trick." [6]

keywords