Aerospace Software Ltd.

The Samba Debug Howto

Mandrake Linux 10.2, Limited Edition 2005

Scope

Samba is a free implementation of the Server Message Block protocol, first developed by IBM and now used by Microsoft. It can be rather trying to get a Samba server up and going, but the important thing to remember is that smbclient is your friend.

Also see this guide: Samba SSH Tunnel Howto.

NEVER give up... ;-)

Wizards

Mandriva has a Samba setup wizard, but it is not installed by default. Run MCC (drakconf) and go to the Software Install wizard (rpmdrake). Search for 'wizard' and install it. Then exit MCC and run it again. You will now see many more server wizards. Look around for the Samba wizard and run it. It is quite self explanatory and will result in a sane and functional system.

On Windows client machines, run the network wizard. You either have to disable the built-in firewall (not recommended except for debugging), or change the firewall settings to enable File and Printer Sharing (recommended). Otherwise, nothing will work.

Sharing a Linux Folder with a Windows Machine

OK, so you ran the Samba wizard, went to a Windows machine and tried to browse the net... Grrr... Now what?

First of all, log out of Windows and log back in again, then try to browse the network again. This forces the Windows machine to authenticate against the Linux machine. If it works, Cool! You're da man! Get outta here! If not, keep reading.

Ensure that the users have the same usernames and passwords on Linux and Windows. Apart from creating a Linux user with userdrake, you also have to create a Samba password with 'smbpasswd -a username password' for each user. Keep all three usernames and passwords the same and save yourself a whole lot of hair.

In addition, ensure that the WORKGROUP is set the same in /etc/samba/smb.conf on each Linux machine and also on each Windows machine in the Windows network wizard.

I usually create a user and group called samba, make each user a member of that group and ensure that the public shares are set to that group.

Note that once connected, a Windows user can change his Windows password and Samba will then also change his Linux password to match, but to get connected the first time, things have to be the same.

$ chown -R samba:samba /home/sharename

Files in Samba, need to be marked as executable, to be useable from a Windows client, since the executable flag is used for some other DOS purpose. Therefore you may want to set the Samba share permissions as:

$ chmod -R 775 sharename

Debugging Samba Server Issues

Here are a few pointers for debugging Samba:

a. Are smbd and nmbd running?

$ ps -e | grep smbd
$ ps -e | grep nmbd

b. Can you connect to a share using smbclient?

$ smbclient //111.222.333.444/sharename

or
$ smbclient //111.222.333.444 -U username%password

c. Is your workgroup/domain in smb.conf correct?

$ head /etc/samba/smb.conf

As root, do 'service smb restart' after editing smb.conf.

d. Do things show up when you scan with smbclient?

$ smbclient -L //111.222.333.444 -N

or
$ smbclient -L //111.222.333.444 -U username%password

e. Do the owner and group permissions of the shares make sense?

$ ls -al /home/sharename

I usually create a user and group called samba, make each user a member of that group and ensure that the public shares are set to that group:

$ chown -R samba:samba /home/sharename

f. Files in Samba, need to be marked as executable, to be useable from a Windows client, since the executable flag is used for some other DOS purpose. Therefore you may want to set the Samba share permissions as:

$ chmod -R 775 sharename

g. Unfortunately, msec will go around once per hour and screw the permissions up for you, so you may want to either configure msec to ignore the Samba shares, or simply remove msec altogether (from cron.hourly and cron.weekly), since it is just an annoyance on a Samba server.

h. If you can't connect at all, did you forget to define the user and password?

# smbpasswd -a username password

Things are a whole lot easier to get going, if the Unix, Samba and Windows username and password are all the same, for each and every user...

Sharing a Windows Folder with a Linux Machine

You have to understand how the server/client idea works. The machine that wants to share a folder, must run a samba server. On Linux, this server is called smb and nmb - they go together. On Windows, the server is called, wait for it, drum roll, server.

You can start/stop the Windows server with the command 'net stop server' and 'net start server'. You can start/stop the Linux server with the command 'service smb restart'.

Therefore, if you only wish to share a Windows drive with a Linux box, then you only need to run 'server' on the Windows box. Linux need not run smb. However the WORKGROUP setting in smb.conf MUST BE CORRECT. Windows starts the server, as soon as you Enable File and Printer Sharing and drag a folder to the Shared Folder - once this server is running, Windows will always run it at startup - there is no easy way to convince Windows to permanently shut the damn thing up again, short of uninstalling it.

If you wish to share a Linux drive with a Windows box, then you have to run smb and nmb and you don't need to run 'server' on the Windows box, but in all cases, you HAVE to enable File and Printer Sharing in the Windows firewall, else the traffic can't get to the Linux box.

Further, if you are only sharing a Windows drive, then the user names and passwords need not be the same anywhere because you can easily specify them when you connect from the Linux box.

If you are sharing a Linux drive, then it is easier if the user names and passwords are the same on Windows/Linux, since the Windows login method is seriously crippled and Windows users don't like it when they get random login pop-up windows while they are browsing shares.

Debugging Windows Shared Folder Issues

If you want to connect from a Linux machine to a shared folder on a Windows machine, then you need to be very familiar with the smbclient program. Here are a few pointers:

BTW, to share folders from Windoze, you MUST have PASSWORDS for your users, else it won't work. The Windoze login routines are rather cripple. So run the Windows User wizard and fix things if you don't have passwords enabled, else nothing will work...

"Error returning browse list: NT_STATUS_ACCESS_DENIED"

This error is very common and can drive you up the wall. It means your username/password/WORKGROUP is wrong - it ain't gonna tell you which one... The good news is that the request got through the Windows firewall and the Windows server is running, so at least that is ruled out.

Try something like this to browse:

smbclient -L //odin/music/ -N

smbclient -L //odin/music/ -U myusername%mypassword

and this to log in and get a smb> prompt:

smbclient //odin/music -U myusername%mypassword

The smb> prompt works like a FTP client and you can copy and delete files and so on.

Mounting SMB Shares

You can experiment on the command line, till you have the correct options, then put it in /etc/fstab:

# smbmount //netbiosname/share sambadir -o \
    username=user%password,fmask=0777, \
    dmask=0777,ip=127.0.0.1

The fmask and dmask values determine how new files and directories will be created.

Add ',user' to the options list in fstab, to allow any user to mount the SMB share.

Security

Ensure that the following ports are blocked in your firewall: 135:139, 445 and 631, with for example, rules like this:

iptables -A FORWARD -p tcp --dport 135:139 -j DROP
iptables -A FORWARD -p tcp --dport 445 -j DROP
iptables -A FORWARD -p tcp --dport 631 -j DROP

That will prevent Windows clients from advertising themselves to the whole world and attracting malicious attention.

Scan your system from another host with nmap:

# nmap -sT -P0 -v -F 111.222.333.444

Then to find out what is hooked to the open ports discovered by nmap, run netstat on the Samba server:

# netstat -v -n -p -l

Plug all holes, or stop the services if they are not needed, else your Samba server isn't going to live very long.

Passwords

Sometimes, it is handy to configure users in bulk, using a Bash script. The smbpasswd utility supports this, but the syntax is rather obscure. The following method works and was figured out through trial and terror:

echo -e "$password\n$password" | smbpasswd -s -a $user

The '-s' silent switch is the key. It causes smbpasswd to accept input from standard input and suppresses asking for the old password. It still requires confirmation, so you need to supply the new password twice.

If the password is in a file, then something like the following method also works:

echo -e "$password\n$password" > /tmp/pass
smbpasswd -s -a $user < /tmp/pass

Conclusion

In general, the GUI tools such as Konqueror, smb4k and LinNeighborhood, are only useful when things work.

When things go wrong, you have to use the command line tools, in order to see the error messages. It really helps if smbclient tells you that your password has expired for example - a GUI tool will never tell you that, it just won't work, leaving you scratching your head.

Note that if you can't connect with smbclient, then there is absolutely NO WAY that you are going to connect with any other method either...

Have fun!

Herman