Linux/Samba
Subpage Table of Contents
Samba Configuraiton smb.conf
Testing Configurations
Test Your Config File with testparm
# test configuration testparm # specify configuration file testparm /etc/samba/smb.conf # don't prompt for enter key testparm -s
Debian testparm is in the samba-common-bin package:
apt-get install samba-common-bin
Test Password
smbclient //server/share -U [user]
It will then prompt for password and either give you a "smb: \>" prompt or a "NT_STATUS_LOGON_FAILURE"
Show all configuration parameters
Show parameter options:
testparm --show-all-parameters
Show configured parameters:
testparm -v
Minimal Samba Configuration
A minimal smb.conf:
[global] workgroup = WORKGROUP netbios name = MYSERVER [share1] path = /tmp [share2] path = /my_shared_folder comment = Some random files
Simple File Server
See Linux/Samba/Simple_File_Server for more complete version
[global]
netbios name = ISO
workgroup = WORKGROUP
server string = ISO File Server
security = user
passdb backend = tdbsam
# Disable printers:
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
show add printer wizard = no
[iso]
comment = ISO Images
path = /data/iso
browseable = yes
guest ok = no
writable = yes
valid users = iso
create mask = 0660
directory mode = 0770
Guest File Server
Disable Printers
Novice question - How to completely disable printing and /etc/printcap errors:
load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes
[movies] path = /mythtv/movies guest ok = yes read only = yes valid users = kenneth bethany
Samba Commands
Linux
Searches for a master browser by looking up the NetBIOS name name with a type of 0x1d:
nmblookup -M -- - # show netbios names nmblookup -M -S -- -
Get machine IP address via NetBIOS lookup:
nmblookup <NETBIOS_NAME>
Get NetBIOS name from machine IP address:
nmblookup -A [IP_ADDRESS]
Report on current Samba connections:
smbstatus
Look at what services are available on a machine (password not always required, if anonymous connection allowed):
smbclient -L <NETBIOS_NAME>
smbclient -W [WORKGROUP/DOMAIN] -U [USER] -L [NETBIOS_NAME]
Windows
nbtstat
- "Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP)."
Lists the remote machine's name table given its name:
nbtstat -a <NETBIOS_NAME> nbtstat -a trogdor
Lists local NetBIOS names:
nbtstat -n
This indicates that the server is currently acting as the local master browser for the current subnet:
..__MSBROWSE__.<01> GROUP Registered
NET CONFIG displays configuration information of the Workstation or Server service. [1]:
# list workstation configuration information net config workstation # list server configiration information net config server # this appears to be an old command, but now aliases to 'workstation' net config rdr
The registry can also be checked for browser information. [2]:
\HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Browser \Parameters
View browselist:
net view
View remote available shares:
net view \\<NETBIOS_NAME>
Connect to a share:
net help use net use k: \\data\files /user:kenneth
Master Browser
Become the domain master browser. There can only be one domain master browser per workgroup name.
[global] domain master = Yes local master = Yes preferred master = Yes os level = 35
Become a local master browser:
[global] domain master = no local master = Yes preferred master = Yes os level = 35
Never be Master Browser:
[global] domain master = no local master = no preferred master = no os level = 0
Performance
TCP No Delay:
socket options = TCP_NODELAY
- "The socket option TCP_NODELAY is the one that seems to make the biggest single difference for most networks. Many people report that adding socket options = TCP_NODELAY doubles the read performance of a Samba drive. The best explanation I have seen for this is that the Microsoft TCP/IP stack is slow in sending TCP ACKs."
Source: Samba Chapter 45. Samba Performance Tuning
NTLMv2 and Vista
"support for NTLMv2 in Samba wasn’t fully developed until Samba v3.0.21." [3]
- "3.0.21{a,b,c} - Complete NTLMv2 support by consolidating authentication mechanism used at the CIFS and RPC layers." [4]
- "I'm pretty sure it's been in since the first 3.0 release, but it has improved in subtle ways, right up to the fixes for security=domain without winbind in the latest release."
- "...This is *THE WORST* way to handle this. You are lowering the security on Vista instead of raising the security of Samba.
You are better off enabling NTLMv2 support in Samba. Granted you need to have Samba v3+ in order to do this. As far as I know 10.4.x is running Samba 3.
Add 'client NTLMv2 auth = Yes' in the [global] section."
Result: This did not appear to work for me.
To get Vista to work with Samba follow the simple instructions below:
- Open the Run command and type "secpol.msc".
- Press "continue" when prompted by Vista.
- Click on "Local Policies" --> "Security Options"
- Navigate to the policy "Network Security: LAN Manager authentication level" and open it.
- By default Windows Vista sets the policy to "NTVLM2 responses only". Change this to "LM and NTLM – use NTLMV2 session security if negotiated".
Result: These steps do work for me.
- Supposedly Samba 3 supports NTLMv2
Samba 3 and NTLMv2 support Thread:
- Says this will enable NTLMv2:
[Global] lanman auth = no ntlm auth = no
Linux bindings check
Next you need to be sure the library needed to run the winbindd daemon through nsswitch, libnss_winbind.so, is in the proper location, which is /lib. By default, this should already be there unless you installed Samba from source. If it's not there, copy the file from the samba/source/nsswitch directory where your Samba source is located.
I also found it necessary to make the following symbolic link:
root# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
Without this symbolic link, some of the commands used to test winbind will work and some won't.
The libraries needed by the winbindd daemon will be automatically entered into the ldconfig cache the next time your system reboots, but it is faster (and you do not need to reboot) if you do it manually now:
root# /sbin/ldconfig -v | grep winbind
This makes libnss_winbind available to winbindd and echoes back a check to you of:
libnss_winbind.so -> libnss_winbind.so
Source: Using Winbind with Samba Domain Member Servers - JustLinux Forums
smbclient
List shares on windows machine or samba server:
smbclient -L windows_box
Send message from Linux
echo "This is a test" | smbclient -M <computer> -U <any_name>
Connect to samba server (using ftp like commands)
samba -U [user] \\\\machine\\share\\ samba -U [user] //machine/share/
Samples
See ...
Change Windows domain password from the command line
From Windows:
# change local password net user <username> * net user <username> <password>
# change domain password (need to be logged in to domain) net user myuser * /domain net user myuser <password> /domain
Linux:
smbpasswd -r <DOMAIN_CONTROLLER> -U <USERNAME>
Changing a Password from a Remote Windows Computer:
- Press CTRL+ALT+DEL to bring up the Windows Security dialog box.
- Press the Change Password button.
- Enter the User name whose password you wish to change.
- In the From dialog box, click either the computer name or domain name in the drop-down list box, or type the computer name or domain name that contains the User Account Database where the user name exists.
- Type the appropriate password in the Old Password, New Password, and Confirm New Password box.
- You should receive a message indicating "Your password has been changed."
References:
- All Things Marked » HOWTO: Change your XP password via the command line
- How to change the Windows domain password from the command line - Teamwork at Jacobs University
- Change User Password from the Command Prompt
Notable Configuration Options
show add printer wizard:
- "With the introduction of MS-RPC based printing support for Windows NT/2000 client in Samba 2.2, a "Printers..." folder will appear on Samba hosts in the share listing. Normally this folder will contain an icon for the MS Add Printer Wizard (APW). However, it is possible to disable this feature regardless of the level of privilege of the connected user.
Default: show add printer wizard = yes
time server:
- "This parameter determines if nmbd(8) advertises itself as a time server to Windows clients."
Default: time server = no
Issues
PAM control
PAM authentication will not work with Samba as it requires the use of clear text passwords, which are no longer supported with Windows NT and above.
encrypt passwords:
- "This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed." [5]
Chapter 28. PAM-Based Distributed Authentication:
- "This chapter should help you to deploy Winbind-based authentication on any PAM-enabled UNIX/Linux system. Winbind can be used to enable user-level application access authentication from any MS Windows NT domain, MS Windows 200x Active Directory-based domain, or any Samba-based domain environment. It will also help you to configure PAM-based local host access controls that are appropriate to your Samba configuration. "
getpeername failed
==> messages <== Feb 25 09:55:22 hsg-ftp smbd[19348]: getpeername failed. Error was Transport endpoint is not connected Feb 25 09:55:22 hsg-ftp smbd[19348]: [2010/02/25 09:55:22, 0] lib/util_sock.c:read_data(534) Feb 25 09:55:22 hsg-ftp smbd[19348]: read_data: read failure for 4 bytes to client 0.0.0.0. Error = Connection reset by peer ==> samba/smbd.log <== [2010/02/25 09:55:22, 0] lib/util_sock.c:get_peer_addr(1224) getpeername failed. Error was Transport endpoint is not connected [2010/02/25 09:55:22, 0] lib/util_sock.c:get_peer_addr(1224) getpeername failed. Error was Transport endpoint is not connected [2010/02/25 09:55:22, 0] lib/util_sock.c:read_data(534) read_data: read failure for 4 bytes to client 0.0.0.0. Error = Connection reset by peer
A Ranger’s Tale » Samba error: getpeername failed
Lately on the work server the Samba logs have been getting filled up with errors that look like the following:
Apr 13 09:23:41 cvsserver smbd[11947]: getpeername failed. Error was Transport endpoint is not connected
I was at a loss for what this meant. There was no evident loss of service to the Windows clients, and no other obvious problems. The setup is quite simple, with only one share established. After searching the Internet, I believe I have discovered a workaround for this problem–but not without drawbacks.
According to Mark Orenstein, Windows XP Pro attempts to connect to the share on ports 445 and 139, and “whichever port responds first is used for further communication.”. Mark therefore suggested disabling port 445 via a simple iptables rule:
iptables -I INPUT 1 -p tcp --dport 445 -j DROP
This seems to circumvent the problem and prevent the error messages, though it is not a real fix. In a followup to Mark, Gerald Drouillard gave the following warning:
Be careful running this on a Samba 3.x PDC with other samba servers on the network. It appears that you will loose the ability for windows clients to map drives to the other non-PDC servers on the network from my test today.
My Samba server is not a PDC (and there aren’t any other Samba machines on the network anyway) so this is not an issue for me, but it is something to be aware of.
try adding the following in your smb.conf file's global section.
smb ports = 139
then restart smb.
Try to add:
use sendfile = no
win 7 smb_pwd_check_ntlmv1
Error:
[2009/09/05 12:22:15, 0] libsmb/ntlm_check.c:smb_pwd_check_ntlmv1(54) smb_pwd_check_ntlmv1: incorrect password length (68)
Solution:
- Don't use security=share, this isn't supported. Use security=user instead, but breaks "guest" accounts.
References:
- [Samba] Authentication from Vista? - http://www.mail-archive.com/samba@lists.samba.org/msg102678.html
"I very much doubt security=3Dshare works with ntlmv2. Please use security=3Duser."
"Thanks Volker - that did the trick! I'd used security=share as the man pages suggested that this was the appropriate setting when most shares were meant to be for guest access, and says it is tricky providing guest access with security=user. In fact, simply setting the "map to guest" parameter to "Bad User" does the trick." [6]