Samba/Tips and tricks

From ArchWiki
< Samba
Revision as of 22:46, 15 April 2013 by Ealrann (Talk | contribs)

Jump to: navigation, search

Sample configuration

The following simple configuration file allows for a quick and easy setup to share any number of directories, as well as easy browsing from Windows clients.

See man smb.conf for details and explanation of configuration options.

    workgroup = WORKGROUP
    server string = Samba Server
    netbios name = SERVER
    name resolve order = bcast host
    dns proxy = no

    log file = /var/log/samba/%m.log

    create mask = 0664
    directory mask = 0775

    force create mode = 0664
    force directory mode = 0775

    ; One may be interested in the following setting:
    ;force group = +nas

    path = /media/media1
    read only = No

    path = /media/media2
    read only = No

    path = /media/media3
    read only = No

Remember to testparm -s and systemctl restart smbd nmbd after editing configuration files.

Share files without a username and password

Edit /etc/samba/smb.conf and add the following line:

map to guest = Bad User

After this line:

security = user

Restrict the shares data to a specific interface replace:

;   interfaces =


interfaces = lo eth0
bind interfaces only = true

Optionally edit the account that access the shares, edit the following line:

;   guest account = nobody

For example:

;   guest account = pcguest

And do something in the likes of:

# useradd -c "Guest User" -d /dev/null -s /bin/false pcguest

Then setup a "" password for user pcguest.

The last step is to create share directory (for write access make writable = yes):

[Public Share]
path = /path/to/public/share
available = yes
browsable = yes
public = yes
writable = no

Samba Security

An extra layer of security can be obtainded by restricting your acceptable networks:

hosts deny =
hosts allow = yyy.yyy.yyy.yyy/yy 

If you're behind a firewall, make sure to open the ports Samba uses:

UDP/137 - used by nmbd
UDP/138 - used by nmbd
TCP/139 - used by smbd
TCP/445 - used by smbd

So a series of commands like this should suffice:

# iptables -A INPUT -p tcp --dport 139 -j ACCEPT
# iptables -A INPUT -p tcp --dport 445 -j ACCEPT
# iptables -A INPUT -p udp --sport 137 -j ACCEPT
# iptables -A INPUT -p udp --dport 137 -j ACCEPT
# iptables -A INPUT -p udp --dport 138 -j ACCEPT

If you're basing your firewall upon Arch Linux's Simple Stateful Firewall, just substitute the INPUT chain for the correspondent TCP and UDP chains.

Adding network shares using KDE4 GUI

How to configure the folder sharing in KDE4. Simple file sharing limits user shared folders to their home directory and read-only access. Advanced file sharing gives full semantics of Samba with no limits to shared folders but requires su or sudo root permissions.

Discovering network shares

If nothing is known about other systems on the local network, and automated tools such as smbnetfs are not available, the following methods allow one to manually probe for Samba shares.

1. First, install nmap and smbclient using pacman:

# pacman -S nmap smbclient

2. nmap checks which ports are open:

# nmap -p 139 -sT 192.168.1.*

In this case, a scan on the 192.168.1.* IP address range and port 139 has been performed, resulting in:

$ nmap -sT 192.168.1.*
Starting nmap 3.78 ( ) at 2005-02-15 11:45 PHT
Interesting ports on
(The 1661 ports scanned but not shown below are in state: closed)
139/tcp  open  netbios-ssn
5000/tcp open  UPnP

Interesting ports on
(The 1662 ports scanned but not shown below are in state: closed)
6000/tcp open  X11

Nmap run completed -- 256 IP addresses (2 hosts up) scanned in 7.255 seconds

The first result is another system; the second happens to be the client from where this scan was performed.

3. Now that systems with port 139 open are revealed, use nmblookup to check for NetBIOS names:

$ nmblookup -A
Looking up status of
        PUTER           <00> -         B <ACTIVE>
        HOMENET         <00> - <GROUP> B <ACTIVE>
        PUTER           <03> -         B <ACTIVE>
        PUTER           <20> -         B <ACTIVE>
        HOMENET         <1e> - <GROUP> B <ACTIVE>
        USERNAME        <03> -         B <ACTIVE>
        HOMENET         <1d> -         B <ACTIVE>
        MSBROWSE        <01> - <GROUP> B <ACTIVE>

Regardless of the output, look for <20>, which shows the host with open services.

4. Use smbclient to list which services are shared on PUTER. If prompted for a password, pressing enter should still display the list:

$ smbclient -L \\PUTER
Sharename       Type      Comment
---------       ----      -------
MY_MUSIC        Disk
PRINTER$        Disk
PRINTER         Printer
IPC$            IPC       Remote Inter Process Communication

Server               Comment
---------            -------

Workgroup            Master
---------            -------
HOMENET               PUTER

This shows which folders are shared and can be mounted locally. See: #Accessing shares

Remote control of Windows computer

Samba offers a set of tools for communication with Windows. These can be handy if access to a Windows computer through remote desktop is not an option, as shown by some examples.

Send shutdown command with a comment:

$ net rpc shutdown -C "comment" -I IPADDRESS -U USERNAME%PASSWORD

A forced shutdown instead can be invoked by changing -C with comment to a single -f. For a restart, only add -r, followed by a -C or -f.

Stop and start services:


To see all possible net rpc command:

$ net rpc

Block certain file extensions on samba share

Samba offers an option to block files with certain patterns, like file extensions. This option can be used to prevent dissemination of viruses or to disuade users from wasting space with certain files:

Veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/*.mp3/*.avi/*.mp4/*.wmv/*.wma/

Samba 4.* : Password Complexity

Samba 4 requires strong password when adding new user with pdbedit. If you want to disable the complexity check, just use the follwing command:
# samba-tool domain passwordsettings set --complexity=off