Sharing with Samba

Install Samba
Installing Samba in OpenBSD
sudo -i pkg_add -ivv samba

Don't see your OS here? Consider checking additional resources:

Configuring Samba
Related info

Here is a pointer to a related/relevant resource:

The smbd man page states, “Please note that there are significant security implications to running this server, and the smb.conf(5) manual page should be regarded as mandatory reading before proceeding with installation.” For private use on a secured network that is so sufficiently protected from outside influence that security is a non-concern, this guide ought to be sufficient. (For mission-critical production use, it is hard to ethically suggest that people be unfamiliar with official documentation. So, to avoid being irresponsible, this guide makes no such recommendation.)

Creating user(s)

create users, e.g.: _smbuser

  • This user does NOT need to have permissions for using elevated permissions, nor for using remote access. (Do NOT add the user to “wheel” nor “_sshok”.)
  • The user also does NOT need a password to log in.
  • Backing up the user database...
  • adding users

You may wish to set the shell to /sbin/nologin (while creating the user, or afterwards (using “ sudo chsh username ” or “ sudo -E vipw ” or another available option).

If you accidentally set any options undesirably (like providing a password that would allow the user to potentially log in), you may wish to edit the user database. (Of course, the official recommendations are to start by backing up the user database...)

sudo -E vipw
Modifying config file
cpytobak /etc/samba/smb.conf
echo ${VISUAL}
sudoedit /etc/samba/smb.conf
workgroup name
   workgroup = WORKGROUP

You're welcome to customize this. (15 character limit)

smbclient will refer to this as the “Domain”.

   workgroup = SAMPLENET
server string
   server string = Samba Server

You're welcome to customize this.

smbclient will show this as a comment next to the “IPC$” resource.

   server string = Something
hosts allow

customizing recommended

e.g.

hosts allow = 2001:db8:1::/125 198.51.100.

In the previous example, the address of 198.51.100. was used. For IPv4, if an address does not have four octets, and it ends with a period, then Samba treats that as a range consisting of all addresses that start with whatever portion was specified. So this equates to the same as “198.51.100.0/24”.

You can also use multiple lines.

hosts allow = 2001:db8:1::/125 198.51.100.0/29 \
192.0.2

Actually, the prior examples were just used for demonstration of a specific syntax. To be consistent with the demonstration subnets (used by this guide), the configuration would look more like:

hosts allow = 2001:db8:1::/125 198.51.100.0/29
passdb backend
This documentation was made based on using:
passdb backend = smbpasswd

That might be a rather old method, and it is possible that these instructions should be updated to use tdbsam or ldapsam but, for now, these instructions are using an older style that has been known to work.

Supporting LANMAN

LANMAN support has been dropped due to security weaknesses. However, some clients may rely on LANMAN support. Examples of such clients include:

  • Sharity-Light (for Unix)
  • Microsoft Windows 98

Use “ passdb backend = smbpasswd ”.

Also place the following two lines in the configuration file:

  • ...

    lanman auth = yes

    (Placing that just below the passdb line seems to make some sense.)

  • Also, the following line is needed. This is probably already set, so look for this before adding it.

    security = user

    This may solve some compatibility issues (e.g., Win98), while creating others that are more easily solvable (e.g., Win7). See: SMB support for older software.

Interfaces
List all IP subnets that the server may listen to traffic on. So, these IP subnets are on the network interface that Samba is listening to.
interfaces = 2001:db8:1::/125 198.51.100.0/29
dns proxy
This defaults to no. However, it seems like this would be incredibly useful. For now, this guide will leave this at no. However, it may be worthwhile to see if setting this to yes is a good idea.
Shares

There are some default sections describing shares:

[homes]

and

[printers]

For now, this guide leaves those alone, permitting whatever default behaviors come with the stock installation.

We'll add some new shares to the end of the file. First, come up with the name of the share, and place it in brackets.

[mystuff]

Then, below that line, place some other lines that specify relevant configuration.

comment = Description of Share (Read-Only)
path = /fullpath/dirname
public = yes
writable = no
valid users = _smbuser root

The user's password should be documented somewhere sensible. If an administrator is classy, the password will get stored in a good location. If security is an almost non-existant consideration, and you want to make things convenient for other administrators (at the cost of doing something rather stupid from a security perspective), adding the following comment (or a comment like the following example) is something that could be done (but which is NOT recommended).

; _smbuser password is CANREAD
create mask = 0755

If the share is writable, then specifying a “create mask” value seems sensible.

Perform some config file checking
testparm
Secure the network

Understand that SMB passwords have not been set at this point. However, the online HTML version of the manual page for the smbpasswd command notes that this program “communicates with a locally running” copy of an SMB server. “As a consequence in order for this to succeed the smbd daemon must be running on the local machine.” So, passwords are not going to be set before the server is running. Restrict network access as needed to make sure that isn't a security problem. For instance, make sure that any untrusted “network” communication/traffic would need to go through a firewall to reach this server, and make sure that firewall does not permit untrusted traffic to reach this server.

Starting the server

Then, once the configuration file is made and any other necessary security is implemented, go ahead and start the server.

Newer method
sudo /etc/rc.d/smbd start
echo ${?}
sudo /etc/rc.d/smbd check
echo ${?}
sudo /etc/rc.d/nmbd start
sudo /etc/rc.d/nmbd check
Older method
Run the server, sudo /usr/local/libexec/smbd.

Also, some things may work better by then running the NetBIOS name server (after running the Server Message Block server). So, after running “ sudo /usr/local/libexec/smbd ”, run “ sudo /usr/local/libexec/nmbd ”.

...

Reloading the configuration

It is believed that the “Faster style” is probably faster, because the whole program won't need to entirely restart.

Faster style

Send SIGHUP:

sudo kill -HUP $( cat /var/run/smbd.pid )
sudo kill -HUP $( cat /var/run/nmbd.pid )
Newer style
sudo /etc/rc.d/smbd reload
sudo /etc/rc.d/nmbd reload
Debugging

Look for logs. For instance, in OpenBSD, look under /var/log/samba/ (e.g., the /var/log/samba/log.nmbd file), while other systems might use other locations (forum post refers to a /etc/var/log/samba/smbd.log file).

Original test: Listing Resources

It is generally nicest to have the server share at least some data in a non-hidden fashion. That way, “ smbclient -N -L 198.51.100.65 ” can be used to help verify that basic communication with the server is successful, even without needing to muck around with handling the authentication (a.k.a. “login credentials”, passwords).

Setting the passwords

First, the user should exist on the Unix system.

Upon starting Samba, a log message may have been written (to the standard system log file, e.g. /var/log/messages) stating: “startsmbfilepwent_internal: file /etc/samba/smbpasswd did not exist. File successfully created.” (The created file is left at zero bytes.)

To change the password:

sudo smbpasswd -a -U username
Related documentation

This is also documented here: Server Message Block sharing, section called “Changing passwords of the user accounts handled by the SMB server”

Firewall settings
On the system with the SMB client
if using OpenBSD PF
cpytobak /etc/pf.conf
echo| sudo -n tee -a /etc/pf.conf
echo \# Enable outgoing SMB| sudo -n tee -a /etc/pf.conf
echo pass out quick proto tcp from self \\| sudo -n tee -a /etc/pf.conf
echo \\tto { 2001:db8:1::65 198.51.100.65 } \\| sudo -n tee -a /etc/pf.conf
echo \\tport { microsoft-ds netbios-ssn } modulate state| sudo -n tee -a /etc/pf.conf
echo ${VISUAL}
sudoedit /etc/pf.conf

Review

sudo pfctl -nf /etc/pf.conf
echo ${?}
sudo pfctl -nf /etc/pf.conf&&sudo pfctl -ef /etc/pf.conf
On the system with the SMB server
if using OpenBSD PF
cpytobak /etc/pf.conf
echo| sudo -n tee -a /etc/pf.conf
echo \# Enable incoming SMB| sudo -n tee -a /etc/pf.conf
echo pass in quick proto tcp\\| sudo -n tee -a /etc/pf.conf
echo \\tfrom { 2001:db8:1::81 198.51.100.81 } \\| sudo -n tee -a /etc/pf.conf
echo \\tto self port { microsoft-ds netbios-ssn } keep state| sudo -n tee -a /etc/pf.conf
echo ${VISUAL}
sudoedit /etc/pf.conf

Review

sudo pfctl -nf /etc/pf.conf
echo ${?}
sudo pfctl -nf /etc/pf.conf&&sudo pfctl -ef /etc/pf.conf
Test logging in

From a system that has the smbclient software (which probably includes the system running the smbd software):

smbclient -U _smbuser \\\\192.0.2.65\\sharename

This will create an interactive session, providing the user with a prompt that is similar to ftp. Some commands worth trying may be ? and dir and quit (or exit -- either synonym works).

Troubleshooting
See notes elsewhere, on this page even about LANMAN. Forum thread, post #18 mentions -k for using Kerberos to work with Active Directory.
Auto-start

On the system running the SMB server:

Autostarting Samba in OpenBSD
New versions
cpytobak /etc/rc.local
echo| sudo -n tee -a /etc/rc.local
echo /etc/rc.d/smbd start| sudo -n tee -a /etc/rc.local
echo /etc/rc.d/smbd check| sudo -n tee -a /etc/rc.local
echo /etc/rc.d/nmbd start| sudo -n tee -a /etc/rc.local
echo /etc/rc.d/nmbd check| sudo -n tee -a /etc/rc.local
echo ${?}
sudoedit /etc/rc.local

You may wish to place the new text sometime earlier than the very end of the file. For instance, if the last command of the file is running ifconfig, not scrolling that off might be typically most convenient.

Mounting

This is covered by: VM: File sharing, “Accessing files” section.