1. Introduction
This is a simple Samba website, it is also my first tentative step with HTML so do not expect too much. It is also not 'official' in any sense of the word and only contains a few pointers and answers to some of the simpler problems that abound. Although I hope that the answers I give are correct, this will not necessarily be the case. I can be reached under andywil@ibm.net or 101.69082@germanynet.de (!). In any case, you are not alone - you are visitor number
here since 25-Sep 98.
2. SAMBA Website mirrors
This list was hijacked from the servers listed here:USA | USA | Austria | Denmark | Sweden | Turkey | Italy | Norway | Malaysia | Australia
2.1. Other documentation
The ultimate source of information is John Blair's Samba book. The normal documentation is (of course) in your Samba $(BASEDIR)/docs (/usr/local/samba/docs in my case) if you downloaded Samba or in something like /usr/doc/packages/Samba if you did not. Another Website similar to this one is Troels Arvin's - he uses RedHat and is a lot stronger on the Linux front than I am, there is some interesting stuff on firewalls there.2.2. Current documentation
Here is a list of the Samba documentation files for 1.9.18p10:| Document | Comments (if not obvious) |
| Application_Serving.txt | MS Office on Samba share |
| BROWSING-Config.txt | technical |
| BROWSING.txt | technical |
| BUGS.txt | - |
| CVS_ACCESS.txt | access to CVS code (?) |
| DHCP-Server-Configuration.txt | - |
| DIAGNOSIS.txt | read this |
| DNIX.txt | problems with DNIX unix |
| DOMAIN.txt | Network Logons and Roving Profiles |
| DOMAIN_CONTROL.txt | - |
| ENCRYPTION.txt | see also NT4 and Winxx documents |
| Faxing.txt | how to |
| GOTCHAS.txt | 1 old RedHat bug, one NT domain problem described |
| HINTS.txt | oldie but goodie |
| INSTALL.sambatar | Using smbtar |
| MIRRORS.txt | my pointers are better (the list at the start of Chapter 2) |
| Macintosh_Clients.txt | - |
| NT4_PlainPassword.reg | the registry-entry to disable encryption |
| NTDOMAIN.txt | superceded by DOMAIN_CONTROL.txt |
| NetBIOS.txt | says why you should avoid NetBEUI and IPX/SPX, WINS doc is here |
| OS2-Client-HOWTO.txt | - |
| PRINTER_DRIVER.txt | [PRINTER$] share for Win95 (not WinNT) |
| PROFILES.txt | - |
| Passwords.txt | uppercase/lowercase etc |
| Printing.txt | debug your printing |
| README.DCEDFS | ? |
| README.jis | is in japanese (?) |
| README.sambatar | obsolete since 1.9.13 |
| Recent-FAQs.txt | see also faq |
| SCO.txt | - |
| SMBTAR.notes | - |
| Speed.txt | is Samba too slow for you? |
| Speed2.txt | Samba was too slow for someone else |
| Support.txt | Companies that support Samba commercially |
| THANKS | The development team would like to thank . . . |
| Tracing.txt | How to trace and debug Samba |
| UNIX-SMB.txt | The SMB Protocol from a UNIX point of view |
| UNIX_INSTALL.txt | Subtitle: How to Install and Test Samba |
| UNIX_SECURITY.txt | - |
| Win95.txt | how to disable encryption |
| Win95_PlainPassword.reg | the registry-entry to disable encryption |
| WinNT.txt | various NT problems |
| announce | what is Samba? |
| cifsntdomain.txt | very technical |
| faq | see also Recent-FAQs |
| history | version history |
| samba.lsm | - |
| security_level.txt | security = share, user or server. Discuss. |
| wfw_slip.htm | How to use Slip under WfW 3.11 |
2.2.1. man pages
make_smbcodepage, nmbd, samba, smb.conf, smbclient, smbd, smbmnt, smbmount, smbpasswd, smbrun, smbstatus, smbtar, smbumount, testparm, testprns2.3. Getting Help (Newsgroups)
I have seen 2 newsgroups that concern themselves with Samba:- comp.protocols.smb - runs at around 50 messages a day
- linux.samba - runs at maybe 5 messages a day
3. A Sample Config
; Configuration file for smbd.; For the format of this file and comprehensive descriptions of all
the
; configuration option, please refer to the man page for smb.conf(5).
;
[global]
; workgroup = WORKGROUP
null passwords = yes
netbios name = wlm00075
log file = /var/log/samba-log.%m
lock directory = /var/lock/samba
security = user
debug level = 2
max log size = 50
; I want to lose elections, the next 4 lines ensure that I do
local master = no
domain master = no
preferred master = no
os level = 0
; time server = yes
load printers = yes
server string = host %h Version %v for %m
; update encrypted = yes
encrypt passwords = yes
[tmp]
comment = Temporary file space
path = /tmp
writeable = yes
public = yes
create mask = 0777
dos filetimes = true
[homes]
comment = Home Directories
writeable = yes
browseable = no
dos filetimes = true
valid users = %S
[printers]
comment = All Printers
printable = yes
browseable = no
path = /var/spool/lpd
writeable = no
[redcd]
comment = %h CD-Rom
path = /cdrom
writeable = no
locking = no
fake oplocks = yes
3.1. Comments on Sample Config
Look at the 'man' pages for 'smb.conf' for better explanations.- [global]
- ; workgroup = WORKGROUP
- netbios name = wlm00075
- security = user
- debug level = 2
- max log size = 50
- The next 4 lines make the Samba-Server subordinate to Windows servers
- local master = no
- domain master = no
- preferred master = no
- os level = 0
- ; time server = yes
- load printers = yes
- ; update encrypted = yes
- encrypt passwords = yes
- [tmp]
- create mask = 0777
- dos filetimes = true
- [homes]
- valid users = %S
- [printers]
- path = /var/spool/lpd
- [redcd]
- This is a CD-Rom share
This is the default, if you leave it as it is, you get everyone who has not changed theirs.
This defaults to your Server's name.
For anonymous shares such as printers (where you do not want accounting), the default (security = share) may be better with a null-password guest. Look at 3.2 if you want to mix the two.
The range is 0 to 10, this is a good value for debugging purposes.
Stops your logfiles getting too large.
If this is set, the time is exported to all clients.
All printers in 'printcap' are automatically shared.
See the discussion in encryption.
See the discussion in encryption.
Allows all users full access to all files here, see Setting UNIX Permissions.
This can be important, look at the man page.
restrict people to their own home directories
I set the permissions here to 7777. If your userid cannot create files in this directory, you get very strange errors because this is not a condition that Win clients understand - see Printing.
3.2. Mixing 'security' types
If you want to have some shares open to all users (security = share and guest ok) - for example printing - and some others administered on a userid basis, John Blair's Samba book has an elegant solution:netbios name = xxxxxx
netbios aliases = yyyyyy
include /path/smb.conf.%L
/path/smb.conf.xxxxx contains 'security = user' (no [global] section header) and all of the services that want 'user' security
/path/smb.conf.yyyyyy contains 'security = share', 'load printers = yes', the guest stuff and the services that want 'share' security.
The only problem I have encountered with this technique is that 'testparm'
no longer works.
4. Simple Solutions
4.1. Levels
- 1.9.18p10 was released on the 24. August and it fixes all known bugs. I have seen no new bug reports against it.
- 1.9.18p9 does not exist
- 1.9.18p8 was a very common level. Bugs I know about are:
- 'username map' is broken
- 'networkstation user login' was accidentally left as 'true'. If you are using 'security = server' (and the parameter only made sense with this security setting) then you can turn it off again in this level because the code was rewritten to handle an NT bug.
- 1.9.18p7 was a reasonable level, very similar to 1.9.18p5 but with one security hole fixed.
- 1.9.18p6 was a mistake - it does not compile on all platforms and was replaced after 2 days.
- 1.9.18p5 was a reasonable level, it introduced 'update encrypted' as a migration aid to 'encrypt passwords = yes'
- 1.9.18p4 was a reasonable level with a large number of fixes and new features
4.2. Printing
If you get strange errors while printing (it simply does not work) and everything else is ok, check the permissions on the directory pointed to by 'path = ' in [printers]. I set them to 7777 which is probably overdoing things but does at least work. I have suggested this to a number of people with printing difficulties and it is a very common problem, judging from the feedback.It would seem to me to be a good idea for Samba to check them itself in 'testparm' and maybe even when firing up the 'smbd' daemon, PCNFSD does this.
The 'no resources' message that sometimes comes is a timing problem with NT - the WfWg client does not wait long enough (or NT takes too long). Check the 'WinNT' doc on the Samba server for this one.
There is also a 'Printing' doc with several other tips.
4.3. Correct passwords being rejected (encryption).
Newer versions of WinNT and Win95, along with all versions of Win98, only send encrypted passwords down the line. This is a security feature and one that makes sense. There are two ways to go about accomodating such clients - one is to turn encryption off for them, the other one is to turn it on on the Samba server.One point here at the outset: Since a Samba server can handle a number of MS clients similtaneously, some of which will be encrypted and some not, it would make sense if an encrypted server could also handle plain text passwords. My personal experience is: it works. I would recommend testing encryption before you actually need it.
4.3.1. encrypt passwords = no
This can be a temporary measure (see 'migration path' below) or a permanent one. See the 'Win95', 'WinNT' and (for a general discussion) the 'ENCRYPTION' docs.4.3.2. turn encryption on
Again, see the 'Win95', 'WinNT' and 'ENCRYPTION' docs. Generally, there are three migration paths you can take. Two assume that encryption is there and you have to live with it, the other needs encryption to be off initially.4.3.2.1. Step 1
Whichever path you decide to take, start here.Use 'mksmbpasswd.sh' (a Perl script in the Samba source directory) to create smbpasswd as documented in 'ENCRYPTION', and then remove all userids (such as root) that are not allowed to use Samba.
You now have all the userids you need, but not their passwords.
4.3.2.1.1. Path 1
Set the passwords up using the 'smbpasswd' command. This can either be done for all users by 'root' or the users can log onto the Unix-box and do their own.4.3.2.1.2. Path 2
Set all passwords to NO PASSWORD as documented and let the users change them themselves via Samba under 'encrypt passwords = yes'4.3.2.1.3. Path 3 (encryption still off)
Set the 'update encrypted = yes' parameter (this was first implemented in 1.9.19p5) while leaving encryption off at both ends. All userids should log on as normal, when they have done so, their passwords will all be in 'smbpasswd' - suitably encrypted.You can (must) turn 'update encrypted' off, add 'encrypt passwords = yes' on the server and can then activate encryption on the MS clients.
This is actually the only migration path that I have tested (the rest is theory from the documentation) but it is the most complicated one and it works, even for MS clients incapable of encryption.
4.4. CR + LF
Unix text-file lines are terminated by 0A (LF)MS text-file lines are terminated by 0D 0A (CR LF)
Samba does not do any conversion of these files at all. There are a number of conversion utilities on both platforms, these will have to be used.
4.5. Timeouts, Network Busy
This could be a problem in 'hosts' - outside Samba altogether. The first line in hosts should always be:It is also important to have your own host-name and IP-address in this file. When I was using the then newest version of RedHat in early spring 1998, it actually needed the own-host line to be the second in /etc/hosts but SuSE (for example) does not need this.
External DNS / WINS servers reportedly also seem to need the localhost line at the front.
4.6. unfriendly server software
Look at point 33 in the 'autoreply' doc on the server. This is actually a very interesting document with a lot of other tips.4.7. Setting UNIX Permissions
SAMBA normally creates files and directories with the 0744 permission-bits set, unless the DOS Read-Only attribute is set. This behaviour can be overwritten in the respective [service] sections with the following parameters:| Parameter | Effect | Default |
| create mask = nnnn | is ANDed with the permission bits | 0744 |
| force create mode = nnnn | is ORred with the permission bits | 0000 |
| directory mask = nnnn | is ANDed with the permission bits | 0744 |
| force directory mode = nnnn | is ORred with the permission bits | 0000 |
The 'delete readonly', 'alternate permissions', 'map archive', 'map hidden' and 'map system' are related commands. If you really feel the need (I don't), look them up.
4.8. Terminating and restarting Samba
Having changed your Samba Config, you may want to terminate and restart it. Here is how I do it using linux and bash.This little monster goes into /root/bin
#! /bin/shAs you will see, it also kills the logfiles left by the previous version. You will probably have to change some names because your Samba executables and logfiles are likely to be somewhere else. The 2 lines:
#
# Kill and restart Samba
#
echo -n "Shutting down Samba: "
killproc -TERM /usr/sbin/nmbd
killproc -TERM /usr/sbin/smbd
echo
echo -n "Hit XMIT after switching"
read
rm /var/log/log.*
rm /var/log/samba-log.*
echo -n "Restarting Samba "
/usr/sbin/nmbd -D
/usr/sbin/smbd -D
echo " done"
echo -n "Hit XMIT after switching"
and read
are there because I have a setup with 1 Lan-card switching between 2 networks. Anyone who does not have this ludicrous arrangement can kill those lines.
You will (of course) have to make sure that this script's owner and
group are 'root' and that it's permissions are 0700.