Difference between revisions of "Samba/Tips and tricks"

From ArchWiki
Jump to: navigation, search
(Redirect to Samba#Tips_and_tricks)
 
(25 intermediate revisions by 14 users not shown)
Line 1: Line 1:
[[Category:Networking]]
+
#REDIRECT: [[Samba#Tips_and_tricks]]
==Sample configuration==
 
The following simple configuration file allows for a quick and easy setup to share any number of directories, as well as easy browsing from Windows clients.
 
 
 
See {{ic|man [http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html smb.conf]}} for details and explanation of configuration options.
 
 
 
{{hc|/etc/samba/smb.conf|<nowiki>
 
[global]
 
    workgroup = WORKGROUP
 
    server string = Samba Server
 
    netbios name = SERVER
 
    name resolve order = bcast host
 
    dns proxy = no
 
 
 
    log file = /var/log/samba/%m.log
 
 
 
    create mask = 0664
 
    directory mask = 0775
 
 
 
    force create mode = 0664
 
    force directory mode = 0775
 
 
 
    ; One may be interested in the following setting:
 
    ;force group = +nas
 
 
 
[media1]
 
    path = /media/media1
 
    read only = No
 
 
 
[media2]
 
    path = /media/media2
 
    read only = No
 
 
 
[media3]
 
    path = /media/media3
 
    read only = No
 
</nowiki>}}
 
 
 
Remember to {{ic|testparm -s}} and {{ic|systemctl restart smbd nmbd}} after editing configuration files.
 
 
 
==Share files without a username and password==
 
Edit {{ic|/etc/samba/smb.conf}} and add the following line:
 
{{bc|<nowiki>map to guest = Bad User</nowiki>}}
 
 
 
After this line:
 
{{bc|<nowiki>security = user</nowiki>}}
 
 
 
Restrict the shares data to a specific interface replace:
 
{{bc|<nowiki>;  interfaces = 192.168.12.2/24 192.168.13.2/24</nowiki>}}
 
 
 
with:
 
 
 
{{bc|<nowiki>
 
interfaces = lo eth0
 
bind interfaces only = true</nowiki>}}
 
 
 
Optionally edit the account that access the shares, edit the following line:
 
{{bc|<nowiki>;  guest account = nobody</nowiki>}}
 
 
 
For example:
 
{{bc|<nowiki>;  guest account = pcguest</nowiki>}}
 
 
 
And do something in the likes of:
 
{{bc|<nowiki># useradd -c "Guest User" -d /dev/null -s /bin/false pcguest</nowiki>}}
 
 
 
Then setup a "" password for user pcguest.
 
 
 
The last step is to create share directory (for write access make writable = yes):
 
 
 
{{bc|<nowiki>
 
[Public Share]
 
path = /path/to/public/share
 
available = yes
 
browsable = yes
 
public = yes
 
writable = no
 
</nowiki>}}
 
 
 
{{note|Make sure the guest also has permission to visit /path, /path/to and /path/to/public, according to [http://unix.stackexchange.com/questions/13858/do-the-parent-directorys-permissions-matter-when-accessing-a-subdirectory http://unix.stackexchange.com/questions/13858/do-the-parent-directorys-permissions-matter-when-accessing-a-subdirectory]}}
 
 
 
=== Sample Passwordless Configuration ===
 
This is the configuration I use with samba 4 for easy passwordless filesharing with family on a home network. Change any options needed to suit your network (workgroup and interface). I'm restricting it to the static IP I have on my ethernet interface, just delete that line if you don't care which interface is used.
 
{{hc|/etc/samba/smb.conf|<nowiki>
 
[global]
 
 
 
  workgroup = WORKGROUP
 
 
 
  server string = Media Server
 
 
 
  security = user
 
  map to guest = Bad User
 
 
 
  log file = /var/log/samba/%m.log
 
 
 
  max log size = 50
 
 
 
 
 
  interfaces = 192.168.2.194/24
 
 
 
 
 
  dns proxy = no
 
 
 
 
 
[media]
 
  path = /shares
 
  public = yes
 
  only guest = yes
 
  writable = yes
 
 
 
[storage]
 
  path = /media/storage
 
  public = yes
 
  only guest = yes
 
  writable = yes
 
</nowiki>}}
 
 
 
== Samba Security ==
 
An extra layer of security can be obtainded by restricting your acceptable networks:
 
 
 
{{hc|/etc/samba/smb.conf|<nowiki>
 
hosts deny = 0.0.0.0/0
 
hosts allow = xxx.xxx.xxx.xxx/xx yyy.yyy.yyy.yyy/yy </nowiki>}}
 
 
 
If you're behind a firewall, make sure to open the ports Samba uses:
 
{{bc|
 
UDP/137 - used by nmbd
 
UDP/138 - used by nmbd
 
TCP/139 - used by smbd
 
TCP/445 - used by smbd}}
 
 
 
So a series of commands like this should suffice:
 
{{bc|
 
# iptables -A INPUT -p tcp --dport 139 -j ACCEPT
 
# iptables -A INPUT -p tcp --dport 445 -j ACCEPT
 
# iptables -A INPUT -p udp --sport 137 -j ACCEPT
 
# iptables -A INPUT -p udp --dport 137 -j ACCEPT
 
# iptables -A INPUT -p udp --dport 138 -j ACCEPT
 
}}
 
 
 
If you're basing your firewall upon Arch Linux's [[Simple Stateful Firewall]], just substitute the INPUT chain for the correspondent TCP and UDP chains.
 
 
 
== Adding network shares using KDE4 GUI ==
 
How to configure the folder sharing in KDE4. Simple file sharing limits user shared folders to their home directory and read-only access. Advanced file sharing gives full semantics of Samba with no limits to shared folders but requires su or sudo root permissions.
 
 
 
== Discovering network shares ==
 
If nothing is known about other systems on the local network, and automated tools such as [[Samba#smbnetfs|smbnetfs]] are not available, the following methods allow one to manually probe for Samba shares.
 
 
 
1. First, install {{Pkg|nmap}} and {{Pkg|smbclient}} using [[pacman]]:
 
# pacman -S nmap smbclient
 
 
 
2. {{ic|nmap}} checks which ports are open:
 
# nmap -p 139 -sT 192.168.1.*
 
 
 
In this case, a scan on the 192.168.1.* IP address range and port 139 has been performed, resulting in:
 
{{hc
 
|$ nmap -sT 192.168.1.*
 
|Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2005-02-15 11:45 PHT
 
Interesting ports on 192.168.1.1:
 
(The 1661 ports scanned but not shown below are in state: closed)
 
PORT    STATE SERVICE
 
'''139/tcp  open  netbios-ssn'''
 
5000/tcp open  UPnP
 
 
 
Interesting ports on 192.168.1.5:
 
(The 1662 ports scanned but not shown below are in state: closed)
 
PORT    STATE SERVICE
 
6000/tcp open  X11
 
 
 
Nmap run completed -- 256 IP addresses (2 hosts up) scanned in 7.255 seconds
 
}}
 
 
 
The first result is another system; the second happens to be the client from where this scan was performed.
 
 
 
3. Now that systems with port 139 open are revealed, use {{ic|nmblookup}} to check for NetBIOS names:
 
{{hc
 
|$ nmblookup -A 192.168.1.1
 
|Looking up status of 192.168.1.1
 
        PUTER          <00> -        B <ACTIVE>
 
        HOMENET        <00> - <GROUP> B <ACTIVE>
 
        PUTER          <03> -        B <ACTIVE>
 
        '''PUTER          <20> -        B <ACTIVE>'''
 
        HOMENET        <1e> - <GROUP> B <ACTIVE>
 
        USERNAME        <03> -        B <ACTIVE>
 
        HOMENET        <1d> -        B <ACTIVE>
 
        MSBROWSE        <01> - <GROUP> B <ACTIVE>
 
}}
 
 
 
Regardless of the output, look for '''<20>''', which shows the host with open services.
 
 
 
4. Use {{ic|smbclient}} to list which services are shared on ''PUTER''. If prompted for a password, pressing enter should still display the list:
 
{{hc
 
|$ smbclient -L \\PUTER
 
|<nowiki>
 
Sharename      Type      Comment
 
---------      ----      -------
 
MY_MUSIC        Disk
 
SHAREDDOCS      Disk
 
PRINTER$        Disk
 
PRINTER        Printer
 
IPC$            IPC      Remote Inter Process Communication
 
 
 
Server              Comment
 
---------            -------
 
PUTER
 
 
 
Workgroup            Master
 
---------            -------
 
HOMENET              PUTER
 
</nowiki>}}
 
 
 
This shows which folders are shared and can be mounted locally. See: [[#Accessing shares]]
 
 
 
== Remote control of Windows computer ==
 
Samba offers a set of tools for communication with Windows. These can be handy if access to a Windows computer through remote desktop is not an option, as shown by some examples.
 
 
 
Send shutdown command with a comment:
 
 
$ net rpc shutdown -C "comment" -I IPADDRESS -U USERNAME%PASSWORD
 
A forced shutdown instead can be invoked by changing -C with comment to a single -f. For a restart, only add -r, followed by a -C or -f.
 
 
 
Stop and start services:
 
 
$ net rpc service stop SERVICENAME -I IPADDRESS -U USERNAME%PASSWORD
 
 
 
To see all possible net rpc command:
 
 
 
$ net rpc
 
 
 
== Block certain file extensions on samba share ==
 
Samba offers an option to block files with certain patterns, like file extensions. This option can be used to prevent dissemination of viruses or to disuade users from wasting space with certain files:
 
 
 
Veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/*.mp3/*.avi/*.mp4/*.wmv/*.wma/
 
 
 
== Samba 4.* : Password Complexity  ==
 
 
 
Samba 4 requires strong password when adding new user with pdbedit. If you want to disable the complexity check, just use the follwing command:{{bc|
 
# samba-tool domain passwordsettings set --complexity&#61;off
 
}}
 
 
 
== Performance Optimization ==
 
 
 
{{hc|/etc/samba/smb.conf|<nowiki>
 
[global]
 
    socket options = IPTOS_THROUGHPUT SO_KEEPALIVE TCP_CORK
 
    use sendfile = true
 
</nowiki>}}
 
 
 
{{note|Imagine that the application using sendfile() transfers bulk data. Application protocols usually require sending some information that helps interpret the data first, known as a header. Typically, the header is small, and the TCP_NODELAY is set on the socket. The packet with the header will be transmitted immediately and, in some cases (depending on internal packet counters), it could even cause a request of acknowledgement that this packet was successfully received by the other side. Thus, the transfer of bulk data will be delayed and unnecessary network traffic exchanged. In particular, to minimize the number of network operations, the sendfile() syscall should be used together with the TCP/IP option called TCP_CORK. We recommend setting the TCP_CORK option when you're sure that you will be sending multiple data sets together (such as header and a body of HTTP response), with no delays between them. This can greatly benefit the performance of WWW, FTP, and file servers, as well as simplifying your life.}}
 

Latest revision as of 15:08, 7 May 2016