Skip to Content

Wiki source code of Samba

Version 1.2 by Sebastian Marsching on 2022/03/27 14:38
Show last authors
1 {{toc/}}
2
3 # Kerberos Authentication
4
5 See [[Kerberos|doc:Linux.Kerberos.WebHome]].
6
7 # Using Samba in a Windows Environment
8
9 This is a preliminary document on how to integrate Samba into a Windows environment. It is designed in a way, that the file shares provided by Samba are not access through different channels: This means that no users can log into the Linux box and the files are not shared through other channels (NFS, AFP, etc.). In the configuration examples, my.windows.domain is the Active Directory domain Samba is joined to, MYWINDOWS is the short domain name and MY.WINDOWS.DOMAIN is the corresponding Kerberos realm.
10
11 ## smb.conf
12
13 [global]
14 # Enable owning group to change permissions.
15 # Unfortunately, it is unclear, whether this applies to all files, or only
16 # those specifically set to be owned by a group in the Windows ACL editor.
17 #acl group control = yes
18 # Map "rwx" to "Full Control" in Windows ACL editor.
19 # We do not want this, if we are using the extended ACL support, because
20 # "Full Control" in windows means more than "rwx" in Linux.
21 acl map full control = no
22 # Configure the client to require NTMLv2.
23 # This might cause problems with older servers, however for security reasons
24 # it should be activated, if possible.
25 client ntlmv2 auth = yes
26 # Mark file whose names start with a dot as hidden.
27 # In Windows, hidden is a separate attribute, thus to be more like Windows,
28 # we disable this feature. Such files can still be hidden by setting the
29 # corresponding attribute.
30 hide dot files = no
31 # UID and GID ranges winbind uses for mapping ADS users and groups.
32 # The specific numbers are not really important. However, we have to ensure
33 # that these ranges do not collide with any local users or groups.
34 idmap gid = 10000 - 20000
35 idmap uid = 10000 - 20000
36 # Copy the ACLs from parent directories to newly created sub-directories.
37 # This option also used 0777 permissions for newly created directories, to
38 # ensure, that the ACLs are effective. When using the advanced ACL support
39 # (using xattr), this option probably should not be activated, because for
40 # Windows ACLs, the specific ACLs determine, which ACLs should be applied to
41 # newly created sub-directories.
42 #inherit acls = yes
43 # Enable kernel oplocks.
44 # We want to diable this option, because it will automatically set
45 # level2 oplocks = no. However, if file access is only performed through
46 # SMB, it is safe to let Samba handle the locking and thus profit from
47 # level 2 oplocks.
48 kernel oplocks = no
49 # Allow nmbd to become a local master browser on the subnet.
50 # If working in a Windows environment, we want to disable this, because
51 # the Active Directory domain controllers should act as master browsers.
52 local master = no
53 # Path to the log file.
54 # We just copied that from the default configuration for Ubuntu.
55 log file = /var/log/samba/log.%m
56 # Store Windows ACL inherit flag in extended attribute.
57 # We want to enable this, in order to have full Windows ACL support.
58 map acl inherit = yes
59 # Map Windows archive flag to permission bit.
60 # We want to deactivate this feature, because we are using xattr for this.
61 map archive = no
62 # Map Windows hidden flag to permission bit.
63 # Same as for map archive.
64 map hidden = no
65 # Map Windows read only flag to inverse write permission bits.
66 # Same as for map archive.
67 map read only = no
68 # Map Windows system file flag to permission bit.
69 # Same as for map archive.
70 map system = no
71 # Require a minimum SMB protocol version.
72 # As we do not support old auth mechanisms for security reasons,
73 # we can also deactivate support for old protocol versions altogether.
74 min protocol = NT1
75 # Active Directory domain.
76 # This should be set to the FQDN of the Active Directory domain, and - at the
77 # same time - is used as the Kerberos realm.
78 realm = my.windows.domain
79 # Kill old sessions when request for new session is received from the same IP.
80 # By activating this option, we ensure that all locks associated with an old
81 # session will be released when a new session is established. However, this
82 # has undesirable effects, if multiple clients share the same IP address
83 # (e.g. because NAT is in use). However, in the LAN it is usually safe to
84 # assume that every client will contact the server with its own IP address.
85 reset on zero vc = yes
86 # Control level of anonymous access.
87 # We want to set this the most restrictive (do not accept any anonymous
88 # connections) for security considerations.
89 restrict anonymous = 2
90 # Security mode.
91 # For Active Directory integration, we set this to "ads".
92 security = ads
93 # Configure signing support in the SMB client.
94 # We want to use signing for servers, which support it, but still be able to
95 # access old servers not supporting it. For enhanced security, it should be
96 # set to "mandatory".
97 server signing = auto
98 # Descriptive server name.
99 # If this option is empty, Windows clients will just display the hostname,
100 # which is okay for most purposes.
101 server string =
102 # Store Windows attributes (hidden, archive, system, read-only) using xattr.
103 # We want to activate this option, because it is much better than the old
104 # options, which tried to map these attributes to permissions.
105 store dos attributes = yes
106 # Enforce locks.
107 # By default, this option is set to auto, which means Samba will only
108 # check for locks in files, which are not oplocked by the client. For
109 # oplocked files, it will omit these checks for performance reasons.
110 # However, if you do not want to rely on a correct client implementation,
111 # you should set this option to "yes".
112 #strict locking = yes
113 # Do a sync to disk, each time it is requested by a client.
114 # By default, Samba does not perform a sync on a file, when it is requested
115 # to do so, because there are a lot of badly written clients, which request
116 # a sync, when they really just want to flush the buffer. Therefore, doing
117 # a sync each time requested, will slow down SMB access considerably.
118 # The problem with this option is, that - if no sync is performed - and the
119 # Linux system, Samba is running on, crashes before the data has been written
120 # to the disk, it is lost. This is very bad, if a client relied on the data
121 # having been written to disk, because it sent the sync request (e.g. it could
122 # corrupt database files stored on a SMB share).
123 # Therefore, if we want to be really save, we have to enable this option.
124 strict sync = yes
125 # Control which messages are written to syslog.
126 # We set this to 0, so that messages will only be written to the Samba
127 # logfiles. We copied that from the default configuration for Ubuntu.
128 syslog = 0
129 # Configure the homedir set for users added by winbind.
130 # As we do not allow login of Windows users, except through Samba, this
131 # option does not really matter. However, it is still nice, to have this
132 # set to something sensible.
133 template homedir = /home/winbind/%D/%U
134 # Configure the shell set for users added by winbind.
135 # Users added by winbind should not be able to log into the Linux machine,
136 # thus we set the shell to "/bin/false".
137 template shell = /bin/false
138 # Enable the CIFS UNIX extensions.
139 # This option enables features interesting for UNIX clients, like support
140 # for symlinks, etc. However, it might be problematic, if the UNIX permissions
141 # are supplied in a way, that is not consistent with the permissions Windows
142 # clients see with the extended ACL support. By default, the UNIX extensions
143 # are enabled.
144 #unix extensions = no
145 # Use sendfile() system call under specific circumstances.
146 # If this option is enabled, Samba can speedup things by using a special
147 # system calls to sent data from files, which are oplocked. However, we
148 # should be sure about the implication this option has, before enabling it,
149 # as it is disabled by default.
150 #use sendfile = yes
151 # Configure VFS modules which should be enabled.
152 # We want to add the "acl_xattr" option, which brings full support for
153 # Windows ACLs to Samba. The ACLs which cannot be mapped to POSIX ACLs are
154 # stored in an extended file attribute.
155 # We also might want to enable one of streams_depot and streams_xattr.
156 # This modules enable the use of alternate data streams, a feature of NTFS,
157 # which allows to save different, independent data streams for a single file.
158 # The streams_xattr module is easier to use, because it just saves the
159 # alternate data streams in extended attributes. However, this might not
160 # work for large data streams, because xattr is not designed to keep huge
161 # amounts of data. In this case, streams_depot might be preferred, which
162 # stores the alternate data streams in separate files in a directory
163 # configured using the streams_depot:directory option.
164 vfs objects = acl_xattr streams_xattr
165 # Enable user / group enumeration for winbind.
166 # This options should not be activated if a large number of users or groups
167 # exist in Active Directory, because they will cause performance issues.
168 winbind enum groups = yes
169 winbind enum users = yes
170 # Set number of levels to resolve for nested groups.
171 # In contrast to UNIX, in Windows groups can be member of groups. In order
172 # to map these kind of groups to UNIX groups, winbind has to resolve them
173 # to the actual users being part of the group. This option set the number
174 # of steps, winbind will use at maximum to resolve groups. Setting this
175 # number to large, will cause bad performance. However, setting it to low,
176 # will cause groups nested in multiple levels not to be resolved correctly.
177 winbind expand groups = 2
178 # List of WINS servers.
179 # This option should be set refer to the WINS servers run for the Active
180 # Directory. Most likely, the domain controllers will also act as WINS
181 # servers.
182 wins server = 192.168.0.32 192.168.0.36
183 # Workgroup / domain name.
184 # This should be set to the short name of the Active Directory domain
185 # (the same you see as a prefix to full usernames, preceding the backslash).
186 workgroup = MYWINDOWS
187
188 # Directory for streams_depot VFS module.
189 # If the streams_depot modules is activated in the vfs objects option,
190 # you have to configure the directory, which stores the files with the
191 # alternate data streams.
192 #streams_depot:directory = /home/samba/.streams_depot
193
194 # This is a sample share configuration, which might be used to store
195 # roaming profiles.
196 [Profile]
197 # Configure offline caching policy.
198 # For a share storing roaming profiles, you have diable this explicitly,
199 # otherwise you might experience data-loss for the profiles.
200 # Believe me, I learned the hard way. :-)
201 csc policy = disable
202 # Path to the directory that is shared
203 path = /home/samba/Profile
204 # Users which might connect to this share.
205 # Use a plus sign followed by group name to allow access for all members
206 # of a group. File permissions are still checked, thus a user, who does not
207 # have permission to access a specific file or directory, will still be
208 # denied access.
209 valid users = "+MYWINDOWS\\Domain Users"
210 # Enable write access.
211 # By default, only read access is allowed.
212 writeable = yes
213
214 ## Setup
215
216 Aside from adjusting the Samba configuration file, a few more steps must be taken care of:
217
218 1. Kerberos support has to be installed and the default Kerberos realm should be set to match the ADS realm. Usually, the Kerberos realm is the ADS domain name in capital letters (e.g. MY.WINDOWS.DOMAIN).`WARNING: The "syslog" option is deprecated
219 `
220 1. The Linux box has to be joined to the ADS domain: `net ads join -U Administrator`
221 1. `/etc/nsswitch.conf` has to be changed to include the `winbind` service for user and group resolution.
222
223 # smbclient timeout for IPv6 enabled servers
224
225 When using smbclient with Windows Server 2012 R2, I came across a funny problem. If the Windows server has both an IPv4 and an IPv6 address registered in DNS `smbclient -L` connects to this server successfully, but then gets stuck for a very long time. After enabling debugging, it becomse clear that the first connection on port 445 is successful, but later `smbclient` tries to connect to port 139. This is the port used for NetBIOS and NetBIOS over IPv6 clearly is not supported by the Windows server. This actually makes sense, because NetBIOS should only be used by old clients which certainly do not support IPv6.
226
227 Unfortunately, working around this issue is not that simple: For quite some time, using the `-I` option with smbclient and explicitly specifying the IPv4 address of the server worked, but with recent versions of `smbclient` that results in an `NT_STATUS_LOGON_FAILURE` error. Setting `disable netbios = yes` in `smb.conf` unfortunately does not help either.
228
229 The only solution I found was blocking outgoing connections to TCP port 139 over IPv6 using `ip6tables`:
230
231 ```bash
232 ip6tables -A OUTPUT -p tcp --destination-port 139 -j REJECT
233 ```
234
235 With this workaround, `smbclient` will still report an error (after first connecting successfully), but at least it will report this error quickly instead of waiting for a long time.
236
237 ## Fixing the smbclient syslog warning
238
239 If the `syslog` option is present in `smb.conf`, recent versions of `smbclient` will issue the following warning:
240
241 WARNING: The "syslog" option is deprecated
242
243 Unfortunately, the default configuration in Ubuntu 14.04 LTS still uses this option. This can easily be fixed by removing the `syslog` and `syslog only` options and adding the following option instead:
244
245 logging = syslog@0 file