Samba

Documentation

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

Tasks

Install

apt install samba winbind

Reload services

systemctl reload-or-restart smbd winbind

Sometimes it is better to force a restart all services because of those damn caches:

systemctl restart smbd winbind

Stops samba services:

systemctl reload-or-restart smbd nmbd winbind

smbcontrol – send messages to smbd, nmbd or winbindd processes

smbcontrol all reload-config
smbcontrol smbd reload-config
smbcontrol nmbd reload-config
smbcontrol winbind reload-config

SMB path

A smb URL:

smb://DOMAIN;leo@server/
smb://DOMAIN;leo%40domain.ext@server
smb://DOMAIN;leo%40domain.ext@server/share/

Mount a CIFS share in /etc/fstab

//server/share /mnt/share cifs ro,credentials=/root/smbcredentials,iocharset=utf8,vers=3.0 0 0

With /root/smbcredentials looking like this:

username=myuser
password=mypassword
domain=mydomain

Doing this, all files on this share will appear as owned by root.

Documentation: https://linux.die.net/man/8/mount.cifs

Create homedirs on the fly

Don’t use PAM !! obey pam restrictions = no is the default, so nothing will go through pam (and thus pam_mkhomedir is useless…).

But since the pam module calls mkhomedir_helper, we can just call it directly:

## Global
        template homedir = /other/path/%D/%U
## Share
[homes]
        browseable = No
        comment = users home folder
        create mask = 0700
        directory mask = 0700
        path = /SAN300/homes/%U
        read only = No
        root preexec = /usr/sbin/mkhomedir_helper %U
        valid users = %S

And the GPO is there: User Configuration/Preferences/Windows Settings/Drive Maps/ with:

\\mysambaserver\%username%

Improve throughput

https://wiki.archlinux.org/title/Samba#Improve_throughput

server multi channel support = yesglobal
deadtime = 30global
use sendfile = yesshare
min receivefile size = 16384global
aio read size = 1
aio write size = 1		share
(default)
socket options = IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT SO_RCVBUF=131072 SO_SNDBUF=131072global

Utilities

testparm – check an smb.conf configuration file for internal correctness

-s|--suppress-promptWithout this option, testparm will prompt for a carriage return after printing the service names and before dumping the service definitions.
-v|--verboseIf this option is specified, testparm will also output all options that were not used in smb.conf(5) and are thus set to their defaults.
--show-all-parametersShow the parameters, type, possible values.
--parameter-name parameternameDumps the named parameter. If no section-name is set the view is limited by default to the global section. It is also possible to dump a parametrical option. Therefore the option has to be separated by a colon from the parametername.
testparm
testparm -v
testparm --show-all-parameters | grep 'server multi channel support'

smbstatus – report on current Samba connections

check currently opend files:

# smbstatus

net – Tool for administration of Samba and remote CIFS servers

net ads join -U administrator

samba-tool – Main Samba administration tool (>4.15.0 only)

samba-tool domain join mydomain.lan MEMBER -U domainadmin@domain.lan

Authentication

Local

smbpasswd – change a user’s SMB password

add/remove user in the SMB database:

# smbpasswd -a technician
New SMB password:
Retype new SMB password:
Added user technician.
# smbpasswd -x technician
Deleted user technician.

pdbedit – manage the SAM database (Database of Samba Users)

-L|–listThis option lists all the user accounts present in the users database.
List users
pdbedit -L

Winbind

wbinfo – Query information from winbind daemon

-p|–pingCheck whether winbindd(8) is still alive. Prints out either ‘succeeded’ or ‘failed’.
-P|–ping-dcIssue a no-effect command to our DC. This checks if our secure channel connection to our domain controller is still alive.
-t|–check-secretVerify that the workstation trust account created when the Samba server is added to the Windows NT domain is working.
-u|–domain-usersThis option will list all users available in the Windows NT domain for which the winbindd(8) daemon is operating in.
-g|–domain-groupsThis option will list all groups available in the Windows NT domain for which the samba(7) daemon is operating in.
-a|--authenticate username%passwordAttempt to authenticate a user via winbindd(8). This checks both authentication methods and reports its results.
-i, --user-info=USERGet user info
wbinfo --ping-i
wbinfo --ping-dc
sudo wbinfo --check-secret
wbinfo --domain-users
wbinfo --domain-groups
wbinfo -a testuser
wbinfo--user-info=leo

Clear winbind cache

systemctl stop smbd nmbd winbind
net cache flush
cd /var/lib/samba/
mkdir old && mv *.tdb old/.
systemctl start smbd nmbd winbind

idmap backends

idmap_rid Backend

https://www.samba.org/samba/docs/current/man-html/idmap_rid.8.html

sssd – System Security Services Daemon

TODO

ACLs

smbcacls – Set or get ACLs on an NT file or directory names

smbcacls //bigdaddy/Music enigma -U sambauser

https://www.samba.org/samba/docs/current/man-html/smbcacls.1.html

https://www.commandlinefu.com/commands/view/816/read-windows-acls-from-linux

getcifsacl – Userspace helper to display an ACL in a security descriptor for Common Internet File System (CIFS)

getcifsacl ./file

NT Domain Member

Join domain

Make sure there’s a line in /etc/hosts:

127.0.1.1 memberservername.domain.ext memberservername

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

smb.conf examples

Here is an example of a working and clean smb.conf.

Do not forget to replace all DOMAIN shit, including in the idmap config.
Also, the default idmap config (*) must be last !

#======================= Global Settings =======================

[global]

### Browsing/Identification ###

        workgroup = DOMAIN
        security = ADS
        realm = DOMAIN.LOCAL

        map acl inherit = Yes
        # the next line is only required on Samba versions less than 4.9.0
        store dos attributes = yes

        disable netbios = yes

#### Debugging/Accounting ####

        log file = /var/log/samba/log.%m
        max log size = 1000
        # Enable this for debug:
        #log level = 3 passdb:5 auth:5

####### Authentication #######

        server role = member server
        local master = no
        domain master = no
        preferred master = no
        
############ Winbind ############

        winbind refresh tickets = Yes
        winbind use default domain = Yes
        
        # For testing purposes only:
        #winbind enum users = yes
        #winbind enum groups = yes

        idmap config DOMAIN : backend = rid
        idmap config DOMAIN : range = 20000-90000000
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

#### Disable printing completely ####

        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

#======================= Share Definitions =======================
[shared]
        comment = Add a useful comment here
        path = /mnt/storage/shared
        valid users = +"Domain Users"
        force group = "Domain Users"
        read only = No
        create mask = 0660
        directory mask = 0770
        force create mode = 0660
        force directory mode = 0770
        vfs objects = acl_xattr
[macosx]
        comment = Add a useful comment here
        create mask = 0660
        directory mask = 0770
        force create mode = 0660
        force directory mode = 0770
        path = /mnt/storage/shared
        read only = No
        valid users = "+Domain Users"
        vfs objects = acl_xattr catia fruit streams_xattr
        fruit:delete_empty_adfiles = yes
        fruit:wipe_intentionally_left_blank_rfork = yes
        fruit:posix_rename = yes
        fruit:veto_appledouble = no
        #fruit:metadata = stream

From: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Concerning the + & and @ symbols:

A name starting with a ‘@’ is interpreted as an NIS netgroup first (if your system supports NIS), and then as a UNIX group if the name was not found in the NIS netgroup database.
A name starting with ‘+’ is interpreted only by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with ‘&’ is interpreted only by looking in the NIS netgroup database (this requires NIS to be working on your system). The characters ‘+’ and ‘&’ may be used at the start of the name in either order so the value +&group means check the UNIX group database, followed by the NIS netgroup database, and the value &+group means check the NIS netgroup database, followed by the UNIX group database (the same as the ‘@’ prefix).

From: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#INVALIDUSERS

To be sorted

sudo apt install samba winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules

Append the winbind entry to the following databases in the /etc/nsswitch.conf (passwd and group)

sudo smbcontrol all reload-config

getent passwd DOMAIN\\leo