Maxmilian's notes on smb.conf

Maxmilian_Picmaus · May 13, 2020, 10:19pm

Some time ago i’ve created this CZ post Maxovy poznamky k smb.conf with my notes on smb.conf :

Here is ENG translation (not perfect, but i tried my best)
`

## Sources : Samba.org , Archlinux wiki, OpenWRT wiki
### Important files 
## 1. /etc/config/samba                                                  ==> uci config
## 2. /etc/samba/smb.conf.template                                       ==> uci samba template 
## 3. /etc/samba/smb.conf -> /var/etc/smb.conf (resp. /tmp/etc/smb.conf) ==> runtime config, actually used by samba
## 4. /etc/samba/smbpasswd                                               ==> db with passwords
## 5. /var/log/log.smbd                                                  ==> samba log , usually empty, all is logged to syslog (if not set differently)
## 6. /var/log/log.nmbd                                                  ==> name-server log , usually empty, all is logged to syslog (if not set differently)
### QuickGuide
## create user "samba_user" using "useradd"/"adduser"
## set Unix password  "passwd"
## synchronize that user/password with samba using  "smbpasswd"
## create such user with same samba password on all clients 
## --> resp. it is not necessary , if you just want connect the shared folder for reading (if you want to write you have to set it)
## ==> it is necessary to initially connect via that user and provide credentials 
## --> if the username(password) is not(can't be) same, it is necessary to do the mapping between unix and win world
## set the chown/chmod on future shared folder (samba_user:users))
## or ensure, that mount of that filesystems is accesible by that samba_user (it is big difference if linux FS or if NTFS/FAT is used)
## --> ntfs is mounted via user-space, not directly via kernel module. If you want ntfs to be writable you will face some issues using fuse-ntfs module, due the unix vs samba vs ntfs rights)
## --> it is better to share folder from local folder/mount and test the samba on it first 
## --> later you can add the content via symlink/link, mount, bind/rbind 
## ==> in general using NTFS on TOS brings lot of issues , so try to avoid such situation 
## ----------------------------------------------------------
## /mnt/
drwxr-xr-x    4 samba_user  users         4096 May 14 20:46 MyShare          
drwxr-xr-x    4 samba_user  users         4096 May 14 20:46 MyData        
## ----------------------------------------------------------
## /mnt/MyShare                                                                                       ## shared folder 
lrwxrwxrwx    1 root     root            33 Dec  8  2016 Torrents -> ../MyData/InBound/TorrentFiles/  ## symlink to folder on another mount (Transmission watch folder)
lrwxrwxrwx    1 root     root            27 Dec  8  2016 Upload   -> ../MyData/InBound/Upload/        ## symlink to folder on another mount (upload folder)
lrwxrwxrwx    1 root     root            30 Dec  8  2016 Download -> ../MyData/OutBound/Download/     ## symlink to folder on another mount (download folder)
drwxr-xr-x    5 samba_user  users      4096 Mar 31 16:11 Video
## ----------------------------------------------------------
## /mnt/MyData/                                                            ## datovy folder
drwxr-xr-x    5 samba_user  users         4096 Oct 31  2016 Torrent        ## main folder for Transmission
drwxr-xr-x    3 samba_user  users         4096 Oct 31  2016 InBound        ## main folder for inbound data  (ftp,smb,torrent,irc)
drwxr-xr-x    2 root        root          4096 Dec  8  2016 Users          ## symlinks or bind/mount from users to users 
drwxr-xr-x    3 samba_user  users         4096 Dec  8  2016 OutBound       ## main folder for outbound data 
drwxr-xr-x    7 root        root          4096 Dec  8  2016 vsFtpRoot      ## root/chroot folder for vsftpd
drwxr-xr-x    2 root        root          4096 Dec  9  2016 ngIrcdRoot     ## root/chroot folder for ngircd 
## ----------------------------------------------------------
## /etc/config/samba 
config samba
        option name 'XXXXX'
        option workgroup 'XXXXXXX'      ## using WORKGROUP brings less issues with Win8/Win10 stations 
                                        ## Pozn: but it is better to use some own group name (see the notes below)
        option homes '0'                ## disable sharing of home folder 
                                        ## note: without any other options (without dedicated samba user)
                                        ## users can traverse outside the share folder (and for me that is security breach)                                        
        option description 'XXXXXXX'
config sambashare
        option name 'MyShare'           ## network share folder name  >> \\192.168.1.1\MyShare
        option path '/mnt/MyShare'      ## path to share folder 
        option read_only 'no'           ## in another word: writeable=yes
        option guest_ok 'no'            ## no guest user 
        option users 'samba_user'       ##  allow access to : samba_user
        option dir_mask '0775'          ## SMB mask 
        option create_mask '0664'       ## UNIX mask
## ----------------------------------------------------------                    
## ./tmp/etc/smb.conf                   ## this is generated from uci config and template and used by smb service
## ----------------------------------------------------------
[global]
        netbios name = XXXXXXXXX        ## network name "netview" --> \\XXXXXXX\MyShare
        display charset = UTF-8 
        interfaces = 127.0.0.1/8 lo 192.168.1.1/24 br-lan ## possible samba listening interfaces , in uci config this is not present, but dynamically created config will contain "interfaces = lo br-lan" automatically 
        server string = XXXXXXXXXXXXXX  ## server description
        unix charset = UTF-8 
        workgroup = XXXXXXXXXXXXX       ## samba workgroup name, you should add all client station to this workgroup 
        browseable = yes                ## enable listing of shared folders  in "netview"
        deadtime = 30                   ## session timeout
        local master=yes                ## we want TOS to be master 
        domain master = yes             ## we do not want any other host to try election for domain master (many win10 with samba 4.x are trying it)
										## if some host is having different homegroup and became master , you will have issues 										
        preferred master = yes          ## for situation when there might be two master, we preffer TOS to be the master 
        encrypt passwords = true        ## enable password encryption 
        enable core files = no          ## do not show "core" files 
        guest account = nobody          ## guest unix account 
        guest ok = yes                  ## enable guest (you can disable per-share later on, or set it globally to NO)
        invalid users = root            ## root is not allowed to use samba 
        load printers = no              ## no printers 
        map to guest = Bad User         ## users without passwords will be treated as "guest" 
        max protocol = SMB2             ## disable SMB3,SMB4 and allow SMB1 and SMB2  
      # mix protocol = SMB2             ## uncomment this to get forced SMB2 , using min/max let you set the range of "dialects" 
        min receivefile size = 16384    ## size of data, where data are going directly from socks to buffer (increase speed of samba)
        null passwords = no             ## no empty passwords 
        obey pam restrictions = yes     ## enable this if you have encrypt-password=true
        os level = 20                   ## higher number increase probability of winning the election to master 
                                        ## Teoretically  os level=65 and you do not need use directives to force wining the election to master 
        passdb backend = smbpasswd      ## utility for samba password --> you should set smbpasswd to each samba user/client 
        printable = no                  ## disable writing to spool 
        security = user                 ## security level, user,share,domain                                         
										## if level user --> expecting all unix/samba users are created and have unix/samba password, auth is global 
										## if level share --> it is similar to "user", with difference, auth is per-shared-folder                                         
                                       										## if level domain --> you do not want this ..... and if you have AD/DC you probably have samba server on domain controler)
        smb encrypt = disabled          ## do not encrypt 
        smb passwd file = /etc/samba/smbpasswd      ## file with samba passwords 
        socket options = TCP_NODELAY IPTOS_LOWDELAY ## local network option to make samba faster :) 
        syslog = 2                       ## verbosity of logging 
        use sendfile = yes               ##  for new clients slightly increase the speed of file transfers, for older (win9.x) clients it might bring some issues 
        writeable = yes                  ## enable writing 
        force user = samba_user          ## force user owner 
        force directory mode = 0775      ## force directory SAMBA permissions (you can change it per-each-share-folder)
        force create mode = 0664         ## force directory UNIX permissions (you can change it per-each-share-folder)                                           
        allow insecure wide links = yes  ## allow symlinks pointing outside the shared-folder to another mount) 
		                                          ## it is not recommended if you link between mounts/binds , but if you are on same mount you can use it
                                                  ## if the mount is mounted using samba_user and you have "force" options for files/folders corretly set, users won't be able to traverse outside the share folder(following the symlink)
        unix extensions = no             ## if wide-links are YES set this to NO 
        wide links = yes                 ## allow following the symlinks 
                                         ## to increase security you can unset those (disable) and use another method (mount-bind/mount-rbind) instead                                          
[MyShare]
        path = /mnt/MyShare              ## filesystem mounted under samba_user (eventually mount as used , but ensure that samba_user has access)
        valid users = samba_user         ## list of users with granted access to this share folder 
        read only = no                   ## another way to say "writeable=yes"  
										 ## note: options for write/read within samba are having no effect on real unix rights of files/folders. Unix permissions are having last word 
        guest ok = no                    ## no guest access 
        create mask = 0664               ## force permissions (if not set, global options are applied )  unix permissions
        directory mask = 0775            ## force permissions (if not set, global options are applied )  samba permissions
## ----------------------------------------------------------		
### this setup allows connect shared folder under dedicated samba_user (must exists on client and must have password set)
### allowed browse from all subfolders and linked sources 
### if you need to share "HOME" for some users, you can symlink correspond home as new share folder (and limit acces via smb.conf)
### or you can keep it as subfolder and just via unix permission manage who can see what ... so no need to touch smb.conf 
### each approach has pros/cons ....	
`

Maxmilian_Picmaus · May 13, 2020, 10:47pm

Setup for Samba client on Win10 version 1709

ControlPanel>NetworkAndInternet>NetworkAndSharingCenter>AdvancedSharingSettings:
- ensure that network adapter used for connection has profile set 

PRIVATE profile
NetworkDiscovery

NetworkDiscovery ON
- Turn On Automatic setup of network connected devices
FileAndPrinterShareing
Turn On File and Printer Sharing
HomeGroupConnections

Allow Windows to manage homegroup connections (recommended)
- As you have TOS as samba server you do not want Windows to manage the homegroup connection. Especially if you have dedicated samba_user on TOS defined.
- But seems that recommended mode has no effect if you want one user or more.
Guest or Public profile (all off/disabled)
All Networks profile (all off/disabled)

ControlPanel>NetworkAndInternet>NetworkAndSharingCenter>HomeGroup
- It is not necessary to join the group if all works fine with TOS set to WORKGROUP
- If you are facing some issues, connect that win-client to your samba group. 
- Once you have it working change WORKGROUP to something else

Firewall
- Check profile “private network” for open ports 
- You should have several rules predefined, just allow them 
SMB1 >> UDP: 137,138 TCP:139,445
SMB2 >> UDP: TCP:445
- Based on TOS setup of min/max protocol , choose right set(s)

workgroup

If you can define own homegroup name, do not use default WORKGROUP.
Members of group are having higher rights, non-members are having some restrictions.
There might be situation when you have legit user from WORKGROUP and non-legit user from another WORKGROUP.
Invalid user will be threated like guest (that’s why it is better to disable guest in general) from Workgroup and actually gets browse permissions.
So such user will see your share. And i think you do not want your guest (with win10 OS in default setup to browse your shares)

Maxmilian_Picmaus · June 6, 2020, 8:24pm

Above guide/notes are for TOS 3.x branche and Samba 3.x. But general know-how can be used for newer versions.
Also the “smb.conf” block is showing as much options as possible. To show the options and relations. If you are interested in real config i am using, let me know i will post it.

ad_samba_4.x/5.x : to make it working you have to focus on “min/max” protocol options to elevate to better dialect. Aside there might be some deprecated options used in 3.x smb.conf notation so be precise when using this guide for 4.x/5.x samba branches

ad_netbios_name: some users pointed, that after network discovery it is shown with IP instead of netbios name. That is depending what dialect is at use. So in fact with min-protocol=2 it can be omited.
samba_discovery
the HOLLY is shown automatically and it is “client” , 192.168.1.1 is shown after “network discovery” and it is the TOS samba server, the node42 (actually 192.168.1.1) is shown after direct/manual issuing the command to explorer \\node42. If i will elevate min/max protocol from SMB2 to SMB3(4) i should be able to use real hostname intstead of netbios one.

If you are still having any issues, feel free to contact me. I am not “pro” but i think i can help with most common issues

ad_dialect: the SMB1 and SMB2 are old and should be used only when you have some vintage devices in your network (win98,win2k,win7,rpi1-2-3(raspian),rasplex). Each dialect has limitation, so if you have win8/10 or/and samba3/4.x clients in your network , elevate the min/max protocol according to your setup. SMB1/2 are not performing well in comparation with SMB3/4.

Maxmilian_Picmaus · March 10, 2022, 7:16pm

After migration from TOS3 to TOS5:

delete /etc/config/samba keep only /etc/config/samba4
remove display charset = 'UTF-8' in /etc/config/samba4 and display charset = |CHARSET| in /etc/samba/smb.conf.template
keep option charset 'UTF-8' in /etc/config/samba4) and unix charset = |CHARSET| in /etc/samba/smb.conf.template
disable “samba” /etc/init.d/samba disable (very possibly it is already gone, but just to be sure)
enable samba4 service /etc/init.d/samba4 enable
check if you do not have duplicated block of config sambashare (if so keep just one)

Once migrated to TOS5 , there is fix package ( fix-samba-migrate-to-samba4 - 1-1 ) which should migrate samba setup to samba4. But in my case, i had to still check config and template.

Samba4 is now having more informative messages in syslog(messages) (especially master election). Newly you can disable nmbd (netbios) option disable_netbios '1', very pleased by that option.