Install and Configure Samba Server on Debian Wheezy

We’ll install and configure Samba v3 server on a Debian Wheezy. Share access will be provided to Local Area Network (LAN) only. Connection from Windows and Linux clients will be covered. 

Revision history (dd/mm/yy):

14/11/2014 – added notes for libpam-smbpass and Unix password database to SMB password database sync.

Software

Software used in this article:

  1. Debian Wheezy
  2. Samba 3.6.6

Before We Begin

Samba server’s info:

  1. Hostname: apps-vm.
  2. IP: 10.10.1.17.
  3. LAN: 10.10.1.0/24.

Two browsable Samba shares will be setup:

  1. Public – the public share available for reading and writing for anyone on the LAN.
  2. Users – the users share available for reading and writing for valid users in the smb group on the LAN.

Samba clients will be Windows 7 and Debian Linux machines.

Samba Installation

Install Samba server:

# apt-get update && apt-get install samba samba-common-bin libpam-smbpass

The libpam-smbpass package is needed for Unix to SMB password sync.

Linux Users

Create an “smb” called Linux system group (use -g to specify your own group ID):

# groupadd -r smb

Find out the smb group’s ID:

# grep smb /etc/group
smb:x:997:

Add a new Linux system user, win7, with the smb group (997) as the initial user’s login group, but do not create a home directory:

# useradd -r -M -g 997 -s /bin/false win7

Create a password:

# passwd win7
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Samba Users

Now, there are (at least) two ways to add a new Samba user to the Samba database. You can sync Linux password database to the SMB password database, or you can add Samba users manually.

If you have a sync configured, then (as it turns out) you have to log into a user in order for it to be added to the Samba database.

If we list all Samba users accounts present in the database, we should get an empty list:

# pdbedit -Lw

Now, if we log into the win7 user, it should be added (synced) to the Samba database:

$ su win7
Password: 
Added user win7.

If we list all Samba users accounts present in the database in the “smbpasswd” listing format (output truncated), we should see the win7 account:

# pdbedit -Lw
win7:997:XXXXXXXX:0A640404B5C486AA12092587FE19FG02:[U  ]:LCT-53DFD128:

To create Samba users manually and add them to the local smbpasswd database, we can run the smbpasswd command:

# smbpasswd -a win7
New SMB password:
Retype new SMB password:
Added user win7.

Database of Samba users can be found under /var/lib/samba/.

# file /var/lib/samba/passdb.tdb
/var/lib/samba/passdb.tdb: TDB database version 6, little-endian hash size 131 bytes

When in need, we can remove Samba users from the database by typing:

# smbpasswd -x win7

This, however, does not prevent the win7 account from being re-added (synced) to the Samba database if the user logs into his account.

Samba Storage

Samba root:

# ls -ld /data/samba/
drwxr-xr-x 4 root root 4096 Aug  8 19:17 /data/samba

Samba shares, for public access and for authenticated users:

# ls -l /data/samba/
total 8
4 drwxrwxr-x 3 nobody nogroup 4096 Aug  8 19:18 public
4 drwxrwxr-x 2 root   smb     4096 Aug  8 19:20 users

Samba Configuration

#------------------------------------------------------------ 
# This is: /etc/samba/smb.conf
# Configuration file for the Samba suite for Debian GNU/Linux
#------------------------------------------------------------ 

[global]
#------------------------------------------------------------ 
# This section contains the global server settings and the
# defaults that will be used for the parameters of the other
# sections if they are not specifically assigned other values 
# in those other sections.
#
# Samba joins the WORKGROUP workgroup
#------------------------------------------------------------ 
workgroup = WORKGROUP

# Describe the server to the clients by using a hostname
#------------------------------------------------------------
server string = %h server

# Only allow connections from machines on our LAN
#------------------------------------------------------------ 
hosts allow = 127.0.0.0/8 10.10.1.0/24

# Prevent nmbd to search for NetBIOS names through DNS
#------------------------------------------------------------ 
dns proxy = no

# Use a separate log file for each machine that connects
#------------------------------------------------------------ 
log file = /var/log/samba/log.%m

# Individual log files size (in KiB)
#------------------------------------------------------------ 
max log size = 1000

# Log a minimum amount of information to syslog
#------------------------------------------------------------ 
syslog = 0

# Mail the admin a backtrace when Samba crashes
#------------------------------------------------------------ 
panic action = /usr/share/samba/panic-action %d

# Using "User Level Security"
#------------------------------------------------------------ 
security = user
#username map = /etc/samba/users.txt

# Use password encryption
#------------------------------------------------------------ 
encrypt passwords = true

# Tell Samba what encrypted password database to use  
#------------------------------------------------------------ 
passdb backend = tdbsam

# Sync the Unix password with the SMB password when the 
# encrypted SMB password in the passdb is changed. 
# The libpam-smbpass package is required for the sync to work
#------------------------------------------------------------ 
unix password sync = yes

# For Unix password sync to work on a Debian Linux system,
# the "passwd program" must be set
#------------------------------------------------------------ 
passwd program = /usr/bin/passwd %u

# Do not use PAM for password changes when requested by an 
# SMB client instead of the program listed in "passwd 
# program".
#
# When "pam password change" is set, it uses PAM rather than 
# "passwd program" to do the change. This is easier to debug,
# and gives back sensible error returns.  
#
# However, PAM does not have a changepass(user, newpass) 
# interface, you have to respond to a series of prompt in the 
# same way a user would. This is what the "passwd chat" is 
# about
#------------------------------------------------------------ 
pam password change = no
#passwd chat = ""

# Unsuccessful authentication attempts are mapped to 
# anonymous connections
#------------------------------------------------------------ 
map to guest = bad user

#=================== Printers Definitions ===================
#
# Do not automatically load printer list
#------------------------------------------------------------ 
load printers = no

# lpr(ng) printing, to avoid filling log files
#------------------------------------------------------------ 
printing = bsd
printcap name = /dev/null

#==================== Share Definitions =====================

[public]
#------------------------------------------------------------ 
# This section defines the public share available for reading
# and writing for anyone on our LAN
#------------------------------------------------------------ 
comment = Public Storage on %L
path = /data/samba/public/

# Show the public share when browsing
#------------------------------------------------------------ 
browsable = yes

# Allow everyone to write in this directory
#------------------------------------------------------------ 
writeable = yes
read only = no

# Restrict access to guests only
#------------------------------------------------------------ 
guest ok = yes
guest only = yes

# Create files with group=rw permissions
#------------------------------------------------------------
force create mode = 0775
force directory mode = 0775

[users]
#------------------------------------------------------------ 
# This section defines the users share available for reading
# and writing for valid users in @smb group on our LAN
#------------------------------------------------------------ 
comment = Users Storage on %L
path = /data/samba/users/

# Show the public share when browsing
#------------------------------------------------------------ 
browsable = yes

# Allow users to write in this directory
#------------------------------------------------------------ 
writeable = yes
read only = no

# Restrict access to valid users in an smb group
#------------------------------------------------------------ 
valid users = @smb
guest ok = no

# Create files with group=rw permissions
#------------------------------------------------------------
force create mode = 0775
force directory mode = 0775

Testing Samba Configuration

# testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[public]"
Processing section "[users]"
Loaded services file OK.
Server role: ROLE_STANDALONE
[global]
	server string = %h server
	map to guest = Bad User
	passwd program = /usr/bin/passwd %u
	unix password sync = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	load printers = No
	printcap name = /dev/null
	dns proxy = No
	panic action = /usr/share/samba/panic-action %d
	idmap config * : backend = tdb
	hosts allow = 127.0.0.0/8, 10.10.1.0/24
	printing = bsd
	print command = lpr -r -P'%p' %s
	lpq command = lpq -P'%p'
	lprm command = lprm -P'%p' %j

[public]
	comment = Public Storage on %L
	path = /data/samba/public/
	read only = No
	force create mode = 0775
	force directory mode = 0775
	guest only = Yes
	guest ok = Yes

[users]
	comment = Users Storage on %L
	path = /data/samba/users/
	valid users = @smb
	read only = No
	force create mode = 0775
	force directory mode = 0775

Restart Samba Service

# service samba restart

Verify server’s name:

# net server name -U guest%whatever
Server name = APPS-VM

List shares available:

# net share list -U guest%whatever
public
users
IPC$

List Samba users:

# net rpc user -U guest%whatever
win7

Connecting From Windows 7 Client

Let us check the Samba server status before initiating a connection:

$ smbstatus
Samba version 3.6.6
PID     Username      Group         Machine                        
-------------------------------------------------------------------

Service      pid     machine       Connected at
-------------------------------------------------------

No locked files

We see that no users are connected at the moment. Connect to the users share from a Windows 7 machine. It should prompt for a username and password.

Let’s check the Samba server status again:

$ smbstatus

Samba version 3.6.6
PID     Username      Group         Machine                        
-------------------------------------------------------------------
2659      win7          smb           win7station  (10.10.1.108)

Service      pid     machine       Connected at
-------------------------------------------------------
users        2659   win7station   Fri Aug  8 21:20:03 2014

No locked files

We now see that the win7 user is connected to the users share from the win7station machine.

Connecting from Debian Linux Client

An smbclient is needed for a Linux client:

# apt-get install --no-install-recommends smbclient

Let’s take a look at what services are available on the Samba server:

$ smbclient -L 10.10.1.17 -N
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       IPC Service (apps-vm server)
	users           Disk      Users Storage on apps-vm
	public          Disk      Public Storage on apps-vm
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

	Server               Comment
	---------            -------
	APPS-VM              apps-vm server

	Workgroup            Master
	---------            -------
	WORKGROUP            APPS-VM

Access to the Public Share

Access the public share with a guest account with no password:

$ smbclient -U Guest -N //10.10.1.17/public
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]
smb: \> pwd
Current directory is \\10.10.1.17\public\
smb: \> exit

Access to the Users Share

Let’s do the same for the users share:

$ smbclient -U Guest -N //10.10.1.17/users
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]
tree connect failed: NT_STATUS_ACCESS_DENIED
IN_YOUR_FACE!

Access is denied, good. How about if we provide the win7 user’s credentials:

$ smbclient -U win7 //10.10.1.17/users
Enter win7's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]
smb: \> pwd
Current directory is \\10.10.1.17\users\
smb: \> exit

Access granted.

Mount Public Samba Share on Debian Linux Client

The smbfs filesystem is a mountable SMB filesystem for Linux. On Debian 7, smbfs package has been replaced with cifs-utils:

# apt-cache show cifs-utils | grep Replaces
Replaces: smbfs (<< 2:4.0~rc1-1)

Install cifs-utils if intended to use the mount.cifs tool for mounting the Common Internet File System.

# apt-get install --no-install-recommends cifs-utils

Create mountpoints for Samba share folders:

# mkdir -p /mnt/smb/public /mnt/smb/users

Mount the public Samba share by using a guest account with no password:

# mount -t cifs //10.10.1.17/public /mnt/smb/public -o rw,username=guest,password=

Check:

# df -hT | egrep "File|smb"
Filesystem          Type  Size  Used Avail Use% Mounted on
//10.10.1.17/public cifs  384G  4.7G  360G   2% /mnt/smb/public
# mount -l | grep smb
//10.10.1.17/public on /mnt/smb/public type cifs (rw,relatime,sec=ntlm,unc=\\10.10.1.17\public,username=guest,uid=0,noforceuid,gid=0,noforcegid,addr=10.10.1.17,unix,posixpaths,serverino,acl,rsize=1048576,wsize=65536,actimeo=1)

Mount the users Samba share by using the win7 credentials:

# mount -t cifs //10.10.1.17/users /mnt/smb/users -o rw,username=win7
Password:

Check:

# df -hT | egrep "File|smb"
Filesystem          Type  Size  Used Avail Use% Mounted on
//10.10.1.17/users  cifs  384G  4.7G  360G   2% /mnt/smb/users

Configure Iptables on Samba Server

Find out which ports Samba server is listening on:

# netstat -nltup | grep mbd
tcp    0   0 0.0.0.0:139         0.0.0.0:*     LISTEN      30417/smbd      
tcp    0   0 0.0.0.0:445         0.0.0.0:*     LISTEN      30417/smbd      
tcp6   0   0 :::139              :::*          LISTEN      30417/smbd      
tcp6   0   0 :::445              :::*          LISTEN      30417/smbd      
udp    0   0 10.10.1.255:137     0.0.0.0:*                 30414/nmbd      
udp    0   0 10.10.1.17:137      0.0.0.0:*                 30414/nmbd      
udp    0   0 0.0.0.0:137         0.0.0.0:*                 30414/nmbd      
udp    0   0 10.10.1.255:138     0.0.0.0:*                 30414/nmbd      
udp    0   0 10.10.1.17:138      0.0.0.0:*                 30414/nmbd      
udp    0   0 0.0.0.0:138         0.0.0.0:*                 30414/nmbd

As can be seen above, Samba uses both the UDP and TCP protocols. TCP is used for file and printer sharing on port 139. UDP is used for the registration and translation of NetBIOS names, and for browsing the network. Port 137 is used for name service requests and responses. Port 138 is used for datagram services to transmit small amounts of data, such as server announcements.

Open the ports above for LAN only:

# iptables -A INPUT -s 10.10.1.0/24 -p tcp -m multiport --dport 139,445 -j ACCEPT
# iptables -A INPUT -s 10.10.1.0/24 -p udp -m multiport --dport 137,138 -j ACCEPT

2 thoughts on “Install and Configure Samba Server on Debian Wheezy

  1. Hi,

    I would like to add something to your tutorial (it could even be a good idea to put it in the debian wiki)… We should precise that libpam-smb is responsible to sync at each startup the unix db password and the smb db password), so the user has to uninstalled it if he doesn’t want to sync at all.
    we should precise also that he should of course put no at the unix password sync but also change the program launch for the password by smbpasswd.

    • Thanks very much, I’ve updated the article. It seems, at least on Debian Wheezy, that libpam-smbpass does not sync Unix password database to the SMB password database until I log into a user’s account.

Leave a Reply

Your email address will not be published. Required fields are marked *