When creating a user in Samba through Webmin, it will default to no password. You can set a user through Webmin then (plaintext) or use smbpasswd to set one. It will not use the Unix password by default.
You can setup User Synchronization in Webmin to create new Samba users as Unix ones are added, and more.
The smbd program provides file and printer network sharing, and includes the password authentication service for users.
smbd will listen on port 445 for SMB or CIFS protocol traffic. It can also listen on port 139 for NetBIOS traffic.
The configuration file is scanned for changes every three minutes.
You can reload the file manually if you like:
smbcontrol smbd reload-config
smbd -b
nmbd provides NetBIOS name service and browsing. It handles lookup requests from SMB clients. If enabled, it will use UDP to broadcast on the local subnet.
Disabling nmbd will cause OS X to not display the server in Finder's Networking view.
Gentoo by default will run both smbd and nmbd. You only need smbd, and can change the services in /etc/conf.d/samba.
smbd listens on port 445 for CIFS connections, and does not support NetBIOS.
Finder has a large number of bugs related to Samba:
The best way to setup Samba for finder is have a default share that users log into, and / or to allow guests to view the shares.
When connecting to a Samba share, you cannot use the long name “User Account” because Samba is performing the authentication against its own user database. Connect as “user” instead.
You can debug OS X's behavior by opening the Console app in the Utilities folder.
Setting up Samba's configuration can be tricky, so this is a small walkthrough that goes from a basic, empty Samba configuration.
For this setup, I'm using Gentoo Linux and the latest Samba 3.x security release, 3.6.23.
Before starting, there is one thing to keep in mind – Samba's configuration allows for multiple directives that have the same effect. For example, read only = no is the same as writable = yes. In order to have standardization across the board, use testparm to clean up the configuration, and use their terms.
Use testparm to display current configuration, standardized:
testparm -s
For the record: You can display the full configuration directives that Samba is using by running testparm -v. This is helpful to determine what defaults Samba is using in debugging configuration issues. I wouldn't recommend dumping the defaults to a file to help readability or configuration or anything else. Letting Samba fill in the defaults is sufficient.
Okay, to start with, let's do a barebones, completely empty configuration file.
touch /etc/samba/smb.conf
Use testparm to see what it's interpreting it as, and go ahead and update smb.conf to display that as well.
[global]
idmap config * : backend = tdb
For the next step, let's set up guest access. This will allow us to connect to the Samba server while we are testing. Without any network shares configured, however, we will not be able to browse the filesystem. For now, though, we are just looking at establishing a connection.
Samba maps local usernames on the server to Samba user names with the /etc/samba/smbusers file. Here's the default configuration on Gentoo, minus the comments:
root = Administrator admin nobody = guest pcguest smbguest
Users root and nobody already exist on the server. You can verify this by running id nobody on the server.
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
Next, configure Samba to map users who log in as guests, or users who attempt to access the server with no usernames. The directive is map to guest and the smb.conf man page defines the four options it can be set to: Never, which is the default, Bad User, Bad Password and Bad UID.
The Bad User configuration meets our requirement: “Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account.”
The wording can seem a bit confusing, so to clarify, if a user tries to log in with a non-existent account on the server, Samba drops the login to a guest account.
This configuration is required to enable guest access using OS X. In my experience, Linux clients work fine without it.
Add the configuration directive to the smb.conf file. Here's what it will look like at this point:
[global]
map to guest = Bad User
idmap config * : backend = tdb
Based on your client, you may or may not be able to connect to the Samba server. Since there are no shares, it may kick you immediately out (OS X does this). Guest access is enabled, though.
Now, let's create a sample share with guest access, so that we can start connecting and verifying access.
For this example, we'll use the system's temporary directory and use that as the first share path:
[tmp]
path = /tmp
Restart Samba, and try connecting with your client.
There's a bug here with OS X and Finder when connecting to the server. Finder will connect to the server and display Connected as: Guest in the header, and the tmp share will display as a directory. However, clicking on the tmp folder will open a dialog window saying The operation can't be completed because the original item for “tmp” can't be found., and Finder will close the window. (OS X Mavericks)
To fix guest access, specifically enable guest access in the share. Add guest ok = Yes, and this is what the new Samba configuration will look like:
[global]
map to guest = Bad User
idmap config * : backend = tdb
[tmp]
path = /tmp
guest ok = Yes
Restart Samba, and re-connect with Finder, and it will successfully connect as guest and display the share now.
Now, the next step is to let the user write to the file share. Update Samba to allow writes to the filesystem using read only directive:
read only = No
Here's the updated smb.conf, again using the formatting and order of testparm output:
[global]
map to guest = Bad User
idmap config * : backend = tdb
[tmp]
path = /tmp
read only = No
guest ok = Yes
Connect as the client, and make some changes to the share. Create a new folder, copy some files in, whatever you feel like, and Samba will save them to the filesystem.
I'm going to use Finder to create a new folder, and use it's default name of untitled folder.
Look at the files or folders created on the filesystem, and you will see that they are created by user nobody – the user that guest access is mapped to on the server.
# stat /tmp/untitled\ folder/ File: ‘/tmp/untitled folder/’ Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 803h/2051d Inode: 62600 Links: 2 Access: (0755/drwxr-xr-x) Uid: (65534/ nobody) Gid: (65534/ nobody) Access: 2014-04-03 21:31:18.699968718 +0000 Modify: 2014-04-03 21:31:18.699968718 +0000 Change: 2014-04-03 21:31:18.699968718 +0000 Birth: -
# Samba configuration
#
# * Guest access for OS X
# * Require NT1 protocol support, allow newer SMB2 support
# * User security level (default)
# * Default to 'images' share
# * and more ..
# See https://nx.beandog.org/doku.php?id=samba
[global]
# Needed to allow Guest access for OS X and connecting to the server
# without needing to connect to an actual share.
map to guest = Bad User
# likewise, have a default share so that when connecting, it can have
# somewhere to go
default service = images
# SMB2 is native to OS X, but there have been reports that it is slow.
# All the reports I've found online were back in late 2013, and since
# Mavericks has had a lot of updates since then (April 2014 at time of
# writing), I'm enabling it.
# http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#SERVERMAXPROTOCOL
# max protocol = SMB2
max protocol = SMB2
# The default minimum protocol is CORE, which is really old. NT1 is
# the same as SMB1.
min protocol = NT1
# Enabling keepalives as a preliminary precaution. Samba docs say that
# it is not necessary *IF* socket options have SO_KEEPALIVE attirbute
# enabled, which it does not.
# The default socket options are "TCP_NODELAY"
# http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#keepalive
# http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#SOCKETOPTIONS
keepalive = 600
log level = 0 auth:3
# Disabling printer support
load printers = no
# Cosmetics
comment = nas
# Possibly relevant if debugging
# http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#DEADTIME
# deadtime = 15
# Disable old NETBIOS support
disable netbios = yes
# Keep a log for each individual
# log file = /var/log/samba/users/log.%m
# Map usernames (for guest accounts)
# This could also be useful for 'forcing' clients / company access as well
username map = /etc/samba/smbusers
[software]
path = /var/nas/images
read only = No
guest ok = Yes
comment = Software for all OSes
[images]
path = /var/samba/images/osx/VirtualBox/
guest only = Yes
guest ok = Yes
comment = OS X VirtualBox Images
[public]
path = /var/samba/public
[private]
path = /var/samba/private
[testing]
path = /var/samba/testing
read only = No
guest ok = No
comment = Testing Samba EA
ea support = yes
force create mode = 0644
force directory mode = 0755