Samba
Documentation
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
Tasks
Install
apt install samba winbind
Reload services
systemctl reload-or-restart smbd winbind
Sometimes it is better to force a restart all services because of those damn caches:
systemctl restart smbd winbind
Stops samba services:
systemctl reload-or-restart smbd nmbd winbind
smbcontrol – send messages to smbd, nmbd or winbindd processes
smbcontrol all reload-config
smbcontrol smbd reload-config
smbcontrol nmbd reload-config
smbcontrol winbind reload-config
SMB path
A smb URL:
smb://DOMAIN;leo@server/
smb://DOMAIN;leo%40domain.ext@server
smb://DOMAIN;leo%40domain.ext@server/share/
Mount a CIFS share in /etc/fstab
//server/share /mnt/share cifs ro,credentials=/root/smbcredentials,iocharset=utf8,vers=3.0 0 0
With /root/smbcredentials looking like this:
username=myuser
password=mypassword
domain=mydomain
Doing this, all files on this share will appear as owned by root.
Documentation: https://linux.die.net/man/8/mount.cifs
Create homedirs on the fly
Don’t use PAM !! obey pam restrictions = no
is the default, so nothing will go through pam (and thus pam_mkhomedir
is useless…).
But since the pam module calls mkhomedir_helper
, we can just call it directly:
## Global
template homedir = /other/path/%D/%U
## Share
[homes]
browseable = No
comment = users home folder
create mask = 0700
directory mask = 0700
path = /SAN300/homes/%U
read only = No
root preexec = /usr/sbin/mkhomedir_helper %U
valid users = %S
And the GPO is there: User Configuration/Preferences/Windows Settings/Drive Maps/ with:
\\mysambaserver\%username%
Improve throughput
https://wiki.archlinux.org/title/Samba#Improve_throughput
server multi channel support = yes | global |
deadtime = 30 | global |
use sendfile = yes | share |
min receivefile size = 16384 | global |
aio read size = 1 | share (default) |
socket options = IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT SO_RCVBUF=131072 SO_SNDBUF=131072 | global |
Utilities
testparm – check an smb.conf configuration file for internal correctness
-s|--suppress-prompt | Without this option, testparm will prompt for a carriage return after printing the service names and before dumping the service definitions. |
-v|--verbose | If this option is specified, testparm will also output all options that were not used in smb.conf(5) and are thus set to their defaults. |
--show-all-parameters | Show the parameters, type, possible values. |
--parameter-name parametername | Dumps the named parameter. If no section-name is set the view is limited by default to the global section. It is also possible to dump a parametrical option. Therefore the option has to be separated by a colon from the parametername. |
testparm
testparm -v
testparm --show-all-parameters | grep 'server multi channel support'
smbstatus – report on current Samba connections
check currently opend files:
# smbstatus
net – Tool for administration of Samba and remote CIFS servers
net ads join -U administrator
samba-tool – Main Samba administration tool (>4.15.0 only)
samba-tool domain join mydomain.lan MEMBER -U domainadmin@domain.lan
Authentication
Local
smbpasswd – change a user’s SMB password
add/remove user in the SMB database:
# smbpasswd -a technician
New SMB password:
Retype new SMB password:
Added user technician.
# smbpasswd -x technician
Deleted user technician.
pdbedit – manage the SAM database (Database of Samba Users)
-L|–list | This option lists all the user accounts present in the users database. |
List users
pdbedit -L
Winbind
wbinfo – Query information from winbind daemon
-p|–ping | Check whether winbindd(8) is still alive. Prints out either ‘succeeded’ or ‘failed’. |
-P|–ping-dc | Issue a no-effect command to our DC. This checks if our secure channel connection to our domain controller is still alive. |
-t|–check-secret | Verify that the workstation trust account created when the Samba server is added to the Windows NT domain is working. |
-u|–domain-users | This option will list all users available in the Windows NT domain for which the winbindd(8) daemon is operating in. |
-g|–domain-groups | This option will list all groups available in the Windows NT domain for which the samba(7) daemon is operating in. |
-a|--authenticate username%password | Attempt to authenticate a user via winbindd(8). This checks both authentication methods and reports its results. |
-i, --user-info=USER | Get user info |
wbinfo --ping-i
wbinfo --ping-dc
sudo wbinfo --check-secret
wbinfo --domain-users
wbinfo --domain-groups
wbinfo -a testuser
wbinfo--user-info=leo
Clear winbind cache
systemctl stop smbd nmbd winbind
net cache flush
cd /var/lib/samba/
mkdir old && mv *.tdb old/.
systemctl start smbd nmbd winbind
idmap backends
idmap_rid Backend
https://www.samba.org/samba/docs/current/man-html/idmap_rid.8.html
sssd – System Security Services Daemon
TODO
ACLs
smbcacls – Set or get ACLs on an NT file or directory names
smbcacls //bigdaddy/Music enigma -U sambauser
https://www.samba.org/samba/docs/current/man-html/smbcacls.1.html
https://www.commandlinefu.com/commands/view/816/read-windows-acls-from-linux
getcifsacl – Userspace helper to display an ACL in a security descriptor for Common Internet File System (CIFS)
getcifsacl ./file
NT Domain Member
Join domain
Make sure there’s a line in /etc/hosts
:
127.0.1.1 memberservername.domain.ext memberservername
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
smb.conf examples
Here is an example of a working and clean smb.conf.
Do not forget to replace all DOMAIN shit, including in the idmap config.
Also, the default idmap config (*) must be last !
#======================= Global Settings =======================
[global]
### Browsing/Identification ###
workgroup = DOMAIN
security = ADS
realm = DOMAIN.LOCAL
map acl inherit = Yes
# the next line is only required on Samba versions less than 4.9.0
store dos attributes = yes
disable netbios = yes
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
# Enable this for debug:
#log level = 3 passdb:5 auth:5
####### Authentication #######
server role = member server
local master = no
domain master = no
preferred master = no
############ Winbind ############
winbind refresh tickets = Yes
winbind use default domain = Yes
# For testing purposes only:
#winbind enum users = yes
#winbind enum groups = yes
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 20000-90000000
idmap config * : backend = tdb
idmap config * : range = 3000-7999
#### Disable printing completely ####
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#======================= Share Definitions =======================
[shared]
comment = Add a useful comment here
path = /mnt/storage/shared
valid users = +"Domain Users"
force group = "Domain Users"
read only = No
create mask = 0660
directory mask = 0770
force create mode = 0660
force directory mode = 0770
vfs objects = acl_xattr
[macosx]
comment = Add a useful comment here
create mask = 0660
directory mask = 0770
force create mode = 0660
force directory mode = 0770
path = /mnt/storage/shared
read only = No
valid users = "+Domain Users"
vfs objects = acl_xattr catia fruit streams_xattr
fruit:delete_empty_adfiles = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:posix_rename = yes
fruit:veto_appledouble = no
#fruit:metadata = stream
From: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Concerning the + & and @ symbols:
A name starting with a ‘@’ is interpreted as an NIS netgroup first (if your system supports NIS), and then as a UNIX group if the name was not found in the NIS netgroup database.
A name starting with ‘+’ is interpreted only by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with ‘&’ is interpreted only by looking in the NIS netgroup database (this requires NIS to be working on your system). The characters ‘+’ and ‘&’ may be used at the start of the name in either order so the value+&group
means check the UNIX group database, followed by the NIS netgroup database, and the value&+group
means check the NIS netgroup database, followed by the UNIX group database (the same as the ‘@’ prefix).
From: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#INVALIDUSERS
To be sorted
sudo apt install samba winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules
Append the winbind entry to the following databases in the /etc/nsswitch.conf (passwd and group)
sudo smbcontrol all reload-config
getent passwd DOMAIN\\leo