# Samba config help?



## CelticWhisper (Dec 5, 2015)

I am trying to configure Samba shares on a headless FreeBSD 10.2 box and having a tremendous amount of difficulty getting them working the way I want.

I have two shares right now, Veeam (for my Veeam Endpoint Backup jobs on Windows clients) and sladd, a user share.  Veeam seems to work fine as best I can tell, but getting the user share working so that it is accessible, browseable, readable and writable without the need to manually type a password, but not accessible to any other user, has me stumped.

I've tried changing security from "user" to "share" and back again, but that did not change anything.
I've tried as many combinations as I can think of for valid users, read/write users, just-plain-"user", chown(8), chmod(1), etc.  If there's a "Goldilocks combination" of permissions, I haven't hit on it yet.

"sladd" is already a user on the BSD side.  I have run `smbpasswd -a sladd` and made sure that the UNIX account password, Samba account password, and Windows client account password are all the same.

One of two things happens: The user can connect to the share but it is not writable, or the user is prompted for a username and password by Windows Explorer and no matter what they type, nothing works.

My smb4.conf is below.

I am pulling my hair out over this - it is extremely frustrating and makes me want to just quit.  Please help.  Thank you in advance.


```
[global]
  os level = 20
  inherit acls = no
  unix extensions = no
  nt acl support = yes
  netbios aliases = Piata
  security = user
  case sensitive = yes
  netbios name = Piata
  encrypt passwords = yes
  workgroup = WORKGROUP
  map acl inherit = yes


[homedirs]
  path = /nas
  comment = Home Directories
  vfs objects = zfsacl
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = yes
  available = yes
  browseable = yes
  read only = no
  public = no
  guest ok = no
  writable = yes

[Backup]
  writeable = yes
  write list = veeam,@backup
  path = /nas/Veeam/BackupTarget
  user = veeam,@backup
  comment = Directory for Veeam Endpoint Backup on Windows
  valid users = veeam,@backup



[sladd]
  writeable = yes
  browseable = yes
  valid users = sladd
  path = /nas/sladd
  write list = sladd
```


----------



## CelticWhisper (Dec 5, 2015)

It seems I can make it writable over SMB if I `chmod` the /nas/sladd directory to 777.  However, owner and group are both "sladd" and 755 does not work.  Looks like the Windows client isn't authenticating as the samba "sladd" user for whatever reason.  So yeah, still need help.  Thanks again.


----------



## von_Gaden (Dec 6, 2015)

Here is the simpliest config for server authentication:

```
[global]
  netbios name = SRVNAME
  server string = "Server comment"
  workgroup = WG
  interfaces = localhost, re0, tun*
  bind interfaces only = Yes
  disable spoolss = Yes
  preferred master = Yes
```
Note that you should create users in Samba with `smbpasswd`
You can dump your Samba users database by `pdbedit -Lv`
Samba users usually may (and in most cases SHOULD) not have valid shell or unix password.

In much more complicated cases updating to net/samba42 I had troubles with

```
nfs4:mode = special # Use OWNER@ and GROUP@ special IDs
nfs4:acedup = merge # Merge duplicate ACEs
nfs4:chown = yes # Enable changing owner and group
```
That was on AD Domain member and I couldn't set ACLs (permissions) with "Access denied" errors. The solution was to comment out these.
If you don't need ACLs I think `zfsacl` module is not needed. On home directories you may set the user as owner and wheel as group, with mode 770 - as simple as possible. In this case I think you'd better add to the share definition:

```
nt acl support = yes
  map acl inherit = yes
  read only = No

  directory mask = 0770
  force directory mode = 0550
  create mask = 0660
  force create mode = 0440
```
I conclusion: you will find a bunch of mixture between Samba 3 and Samba 4 configuration examples. Note that Samba documentation is not perfectly structured and frequently updated as FreeBSD's.


----------



## CelticWhisper (Dec 6, 2015)

Thanks for this - going to try some of these.  A few notes from what I'm reading:

I'm running Samba 4.1.18, haven't had 3 on this system at all.  Not sure if that mitigates any problems upgrading from 3 that these steps would address.
The share is on a ZFS RAIDZ2, haven't done anything with permissions/ACLs other than messing with chmod(1)/chown(8) on the directory I'm trying to share.
The Samba user (sladd) does currently have a shell login.  If I remove the user on the UNIX side, do I need to do anything else on the Samba side?  Remove (with `pdbedit -x -u`) and recreate?  Just leave it alone?
No AD domain at play here - it's on a home LAN and used mostly as a backup target.
With regard to home directories, how do you mean to set the user as owner?  Wheel as group makes sesne, but if the samba user has no corresponding UNIX shell account, wouldn't chown(8) return an error if I tried to set the Samba user as the owner?  I'm probably just missing something here.


----------



## von_Gaden (Dec 6, 2015)

No shell account doesn't mean no accound and UID/GID.
Example:

```
pw useradd SAMBAUSER -G samba -s /sbin/nologin -d /nas/sambauser -c 'Users account'
smbpasswd -a SAMBAUSER
chown -R sambauser:wheel /nas/sambauser
chmod -R 770 /nas/sambauser
```
Assuming that you have group "samba" equivalent to "users" in windows OSes.
This way the user can't login via shell to FreeBSD but he/she can login using Samba.

I mentioned Samba 3 /4 mixture in the documentation and examples, not thinking that you upgrade. As Samba docs say Samba 4.2 has all the code from Samba 3. I think this is the code for simple stand-alone servers you really need. I'm not sure how Samba 4.1 works without AD membership. I'd say it's better for you to use Samba 4.2 or even 4.3.


----------



## CelticWhisper (Dec 6, 2015)

I can try that.  Is it as simple as updating via pkg(8)?  Config files etc are all in the same place?


----------



## CelticWhisper (Dec 7, 2015)

OK, I added the NT ACL and mask info to my share definition, and I `chown -R`'ed the /nas/sladd directory to sladd:wheel.  I also `chmod -R 770`'d the directory.

Currently, the sladd user is not able to open the sladd directory in Explorer.

Here is my Samba users database:

```
root@Piata:/usr/local/etc # pdbedit -Lv
---------------
Unix username:  _tss
NT username:
Account Flags:  [U  ]
User SID:  S-1-5-21-339215320-84371642-4129284817-1002
Primary Group SID:  S-1-5-21-339215320-84371642-4129284817-513
Full Name:  TrouSerS user
Home Directory:  \\piata\_tss
HomeDir Drive:
Logon Script:
Profile Path:  \\piata\_tss\profile
Domain:  PIATA
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  never
Kickoff time:  never
Password last set:  Wed, 02 Dec 2015 10:03:30 CST
Password can change:  Wed, 02 Dec 2015 10:03:30 CST
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:  sladd
NT username:
Account Flags:  [UX  ]
User SID:  S-1-5-21-339215320-84371642-4129284817-1004
Primary Group SID:  S-1-5-21-339215320-84371642-4129284817-513
Full Name: 
Home Directory:  \\piata\sladd
HomeDir Drive:
Logon Script:
Profile Path:  \\piata\sladd\profile
Domain:  PIATA
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  never
Kickoff time:  never
Password last set:  Sat, 05 Dec 2015 23:34:20 CST
Password can change:  Sat, 05 Dec 2015 23:34:20 CST
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:  hast
NT username:
Account Flags:  [U  ]
User SID:  S-1-5-21-339215320-84371642-4129284817-1001
Primary Group SID:  S-1-5-21-339215320-84371642-4129284817-513
Full Name:  HAST unprivileged user
Home Directory:  \\piata\hast
HomeDir Drive:
Logon Script:
Profile Path:  \\piata\hast\profile
Domain:  PIATA
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  never
Kickoff time:  never
Password last set:  Wed, 02 Dec 2015 10:03:25 CST
Password can change:  Wed, 02 Dec 2015 10:03:25 CST
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:  veeam
NT username:
Account Flags:  [UX  ]
User SID:  S-1-5-21-339215320-84371642-4129284817-1003
Primary Group SID:  S-1-5-21-339215320-84371642-4129284817-513
Full Name:  Veeam Endpoint Backup User
Home Directory:  \\piata\veeam
HomeDir Drive:
Logon Script:
Profile Path:  \\piata\veeam\profile
Domain:  PIATA
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  never
Kickoff time:  never
Password last set:  Wed, 02 Dec 2015 10:05:08 CST
Password can change:  Wed, 02 Dec 2015 10:05:08 CST
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
root@Piata:/usr/local/etc #
```

...and here is my current smb4.conf file:


```
[global]
  os level = 20
  inherit acls = no
  unix extensions = no
  nt acl support = yes
  netbios aliases = Piata
  security = user
  case sensitive = yes
  netbios name = Piata
  encrypt passwords = yes
  workgroup = WORKGROUP
  map acl inherit = yes


[homedirs]
  path = /nas
  comment = Home Directories
  vfs objects = zfsacl
  nfs4:mode = special
  nfs4:acedup = merge
  nfs4:chown = yes
  available = yes
  browseable = yes
  read only = no
  public = no
  guest ok = no
  writable = yes

[Backup]
  writeable = yes
  write list = veeam,@backup
  path = /nas/Veeam/BackupTarget
  user = veeam,@backup
  comment = Directory for Veeam Endpoint Backup on Windows
  valid users = veeam,@backup



[sladd]
  nt acl support = yes
  map acl inherit = yes
  read only = no
  writeable = yes
  browseable = yes
  path = /nas/sladd
  user = sladd
  write list = sladd
  directory mask = 0770
  force directory mode = 0550
  create mask = 0660
  force create mode = 0440
  public = no
  guest ok = no
```


----------



## CelticWhisper (Dec 7, 2015)

I have updated to net/samba42.  Still struggling, but wanted to make sure you knew.


----------



## von_Gaden (Dec 7, 2015)

Let's look at the log files. Add these to `[global]` section of /usr/local/etc/smb4.conf:

```
log level = 3
  log file = /var/log/samba4/log.%m
  max log size = 500
```

and post the /var/log/samba4/log.<IP_ADDR_OR_NAME> errors for the computer you are trying to connect from.

Do you really need the `os level`?


----------



## von_Gaden (Dec 7, 2015)

I just built a test environment with net/samba43 (compiled, there is no binary package yet) on FreeBSD AMD64 with ZFS on /var/smb
Here is /usr/local/etc/smb4.conf:

```
[global]
  netbios name = SERVER
  workgroup = WG
  server string = "Server"
  hosts allow = 10.11. 127.0.0.1
  interfaces = localhost, re0, tun*
  bind interfaces only = Yes
#no shared printers
  disable spoolss = Yes
  local master = Yes
#to ensure that clients over routed network access our server I use WINS. We have no DNS with SRV records without AD domain.
  wins support = yes
#no guest allowed
  usershare allow guests = No

[share]
  comment = Sared Data
  nt acl support = yes
  path = /var/smb/share
#I'm not sure these are necessary but the Force is strong with my habits.
  read only = No
  guest ok = No
```
We have an existing UNIX user testusr:

```
Login: testusr  Name: User testusr
Directory: /usr/home/testusr  Shell: /sbin/nologin
Mail last read Mon May 28 23:15 2012 (EEST)
No Plan.
```
so we register it with Samba:

```
smbclient -a testusr
```
then we prepare the directory for sharing:

```
mkdir /var/smb/share
chown -R testusr:wheel /var/smb/share
chmod -R 770 /var/smb/share
```
To allow Samba startup we put in /etc/rc.conf:

```
samba_server_enable="YES"
```
and then
`# /usr/local/etc/rc.d/samba_server start`

In fact this is my first real Samba 4.x stand-alone server but it works as expected - I tested it. The code from Samba 3 is successfully merged in this version.
This is the simplest config, but if you get it to work you'll be able to upgrade it with more sophisticated functionality for your needs.

I think you may have problems with all the files form older Samba versions in /var/db/samba4. You'd better delete everything in this directory EXCEPT /var/db/samba4/private - this is not auto-created and Samba refuses to start without it. But you should empty this directory too.


----------



## CelticWhisper (Dec 8, 2015)

Turning in for the night, but wanted to say thanks for the continued support and I will try the test config tomorrow, along with ripping out the OS level.  I did the initial configuration with Webmin, so that might be why some of these additional properties are defined.  Will keep you posted.


----------



## CelticWhisper (Dec 8, 2015)

Okay, here are the logs.  I see two entries for the PC from which I'm connecting - one by hostname (daughter) and one by IP (10.10.10.8).  Will post both of them.
I've also removed everything from /var/db/samba4 except for the ./private directory, and everything from inside ./private, and removed the "os level" property from the [general] section of smb4.conf.

I did notice that you added the testusr user to samba using the "smbclient" rather than "smbpasswd" command.  Is it an issue that I used `smbpasswd -a sladd` when adding the Samba user (after having added the local user with useradd)?

Logs attached.


----------



## CelticWhisper (Dec 12, 2015)

Still having difficulty.  For what it's worth, I've also tried authenticating as root when the Windows security prompt comes up and that fails just the same as any other user.  Still need help, thanks.


----------



## CelticWhisper (Dec 12, 2015)

Also, should I need to preface my login with a hostname or domain name?  e.g. WORKGROUP\sladd or 10.10.10.15\sladd?


----------



## CelticWhisper (Dec 12, 2015)

I tried an Android client, AndSMB, and I was *able* to access the directory.  Same username (sladd) and password. This was with no DOMAIN\ prefix on the username.

Windows 8.1 and a Windows 7 VM are *unable* to access the share.


----------



## ondra_knezour (Dec 12, 2015)

I didn't read your logs, but incompatible versions of the SMB protocol and/or network authentication comes on my mind.

For start, see 
https://social.technet.microsoft.co...nnot-see-samba-domain?forum=w7itpronetworking
https://social.technet.microsoft.co...5/windows-7-too-secure-for-old-samba-software
http://www.tannerwilliamson.com/windows-7-seven-network-file-sharing-fix-samba-smb/394/


----------



## CelticWhisper (Dec 12, 2015)

Tried the Group Policy (Local Security Policy\Security Options) fix but it does not seem to have done anything.  I have also tried re-provisioning via samba-tool as mentioned here but I'm currently unable to view a list of shares.

Should I try installing samba 3.6 instead of 4.2?  I'm still very confused - I have setup Samba shares before and not had this degree of difficulty.


----------



## diizzy (Dec 13, 2015)

This works fine on Samba 4.1-4.3 installs and my Sony Xperia Z1 (thanks Sony for adding native support for SMB and SFTP share) and Windows clients.
You need to have a local user called fluffy (whatever you like) and then run the pdbedit cmd.
Remember to change interfaces to whatever you want Samba to listen on and omit the last four lines if you don't use ZFS.

`pdbedit -a -u fluffy`


```
[global]
workgroup = fluffys-internal-network.local
server string = Storage Server Fluffy
security = user
preferred master = yes
reset on zero vc = yes
log file = /var/log/samba.log
max log size = 10240
dns proxy = no
bind interfaces only = true
interfaces = em0
server services = s3fs smb
disable netbios = yes
server max protocol = SMB3
directory name cache size = 0
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = no
nt acl support  = yes
inherit acls = no
map acl inherit = yes

[zpubdata]
comment = Fluffy's Storage Pool PubData
path = /vault0/pubdata
public = yes
guest ok = yes
writable = yes
write list = fluffy
browseable = yes
create mask = 0775
vfs objects = zfsacl
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
```
//Danne


----------



## CelticWhisper (Dec 18, 2015)

OK, I reinstalled net/samba42.  My Win7 VM (Win8 no longer in use) was unable to connect, with the "A device attached to the network is not functioning" error.

First, here's my smb4.conf.  I removed the lines referring to printing as I am not using this as a print server, and changed em0 to re0 per ifconfig(4)'s output.  Otherwise all I changed was the workgroup, comments and path to match what I'm using here.


```
[global]
workgroup = WORKGROUP
server string = PIATA
security = user
preferred master = yes
reset on zero vc = yes
log file = /var/log/samba.log
max log size = 10240
dns proxy = no
bind interfaces only = true
interfaces = re0
server services = s3fs smb
disable netbios = yes
server max protocol = SMB3
directory name cache size = 0
load printers = no
disable spoolss = yes
unix extensions = no
nt acl support  = yes
inherit acls = no
map acl inherit = yes

[sladd]
comment = SLadd Share
path = /nas/sladd
public = yes
guest ok = yes
writable = yes
write list = fluffy
browseable = yes
create mask = 0775
vfs objects = zfsacl
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = yes
```

Next, the output of `pdbedit -a -u sladd`

```
root@Piata:/usr/local/etc # pdbedit -a -u sladd
new password:
retype new password:
Unix username:  sladd
NT username:
Account Flags:  [UX  ]
User SID:  S-1-5-21-3245980969-568695238-1734129396-1001
Primary Group SID:  S-1-5-21-3245980969-568695238-1734129396-513
Full Name:
Home Directory:  \\piata\sladd
HomeDir Drive:
Logon Script:
Profile Path:  \\piata\sladd\profile
Domain:  PIATA
Account desc:
Workstations:
Munged dial:
Logon time:  0
Logoff time:  never
Kickoff time:  never
Password last set:  Fri, 18 Dec 2015 06:51:56 CST
Password can change:  Fri, 18 Dec 2015 06:51:56 CST
Password must change: never
Last bad password  : 0
Bad password count  : 0
Logon hours  : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
root@Piata:/usr/local/etc #
```

Finally, the contents of /var/log/samba.log


```
root@Piata:/usr/local/etc # cat /var/log/samba.log
[2015/12/18 06:51:15.729630,  0] ../source3/lib/util_sock.c:517(open_socket_in)
  bind failed on port 137 socket_addr = 10.255.255.255.
  Error = Can't assign requested address
[2015/12/18 06:51:15.730538,  0] ../source3/nmbd/nmbd_subnetdb.c:127(make_subnet)
  nmbd_subnetdb:make_subnet()
  Failed to open nmb bcast socket on interface 10.255.255.255 for port 137.  Error was Can't assign requested address
[2015/12/18 06:51:15.730743,  0] ../lib/util/become_daemon.c:111(exit_daemon)
  STATUS=daemon failed to start: NMBD failed when creating subnet lists, error code 13
[2015/12/18 06:51:17.381388,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'smbd' finished starting up and ready to serve connections
```

Looks like there's some nmbd(8) problem, but I can't figure out what's going on to cause it.

Thanks for the continued help.


----------



## diizzy (Dec 18, 2015)

Don't remove the printer related lines unless you want unnecessary logspam.
`sockstat |grep 137`
//Danne


----------



## CelticWhisper (Dec 18, 2015)

Got it, will add those back in.  At the office now but will post sockstat output when I'm home.


----------



## CelticWhisper (Dec 19, 2015)

OK, added the print-related lines back in (and updated "fluffy" to "sladd" in the write list variable, which I overlooked last time).

However, `sockstat | grep 137` outputs nothing.


----------



## diizzy (Dec 19, 2015)

Hmm... That's odd, you can however add this to your /etc/rc.conf as nmbd(8) isn't needed.

```
samba_server_enable="YES"
smbd_enable="YES"
nmbd_enable="NO"
```
//Danne


----------



## CelticWhisper (Dec 24, 2015)

Okay, that's been done and I'm not seeing the "nmbd not running" notice anymore upon running `/usr/local/etc/rc.d/samba-server restart`

Still having the original issue though.  And thanks again to everyone for sticking with this.


----------

