Samba can be one of those things that causes a ton of headaches. It always feels like a huge slowdown when I get to the Samba portion of my media server install. This time I decided to check out using Webmin for my samba configuration and I was pleasantly surprised with how easy it made some of the configurations.
I will hit on the major things to be noted here, firstly the idea of separate samba and system users. You can set up synchronization between these so that when a user is created it gets added to the smbpasswd file also. I created my system users earlier and converted them to samba users, so the synchronization didn’t do me any good for my original user set. New users will be created in the smbpasswd file correctly. In any case, the current users I had did not have the password hash information in the smbpasswd file. An example looks like this:
nobody:65534:XX..XX:XX..XX:[U ]:LCT-00000000:
user0:1000:XX..XX:XX..XX:[U ]:LCT-00000000:
user1:1001:XX..XX:5D2E000588FBDD942A7AE8E6B2D09F50:[U ]:LCT-4A7505D8:
user2:1003:XX..XX:B7C7B18AFA60435A859B706C345AC8C7:[U ]:LCT-4AE1C3C9:
user3:1002:XX..XX:8CF29A930011E934254FBC514DEBDAD6:[U ]:LCT-4AE2606C:
user4:1004:XX..XX:569D90FCDDC4B87408BC89B02CFF9A7A:[U ]:LCT-4AEtD950:
You can check your smbpasswd file by doing this:
sudo su
pbdedit -w -L
Notice that user1-user4 have the hashed password information set. If user0 tried to login with their own system credentials for a samba share, they would get denied every time.
In this case you should use the Webmin config to set the samba user password by hand. Future user creations will be handled seamlessly if you set up the synchronization.
Client Lanman Auth
Another major issue that I had was with the configuration of the default samba install in Ubuntu. The default installs smb.conf file does not contain the line — client lanman auth = yes — whereas any user trying to login to your samba shares from a linux machine will surely get denied access because of this.
I added this line in my global configuration area:
#======================= Global Settings =======================
[global]
log file = /var/log/samba/log.%m
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
obey pam restrictions = yes
map to guest = bad user
encrypt passwords = yes
passwd program = /usr/bin/passwd %u
passdb backend = tdbsam
dns proxy = no
netbios name = SERVER
server string = %h
unix password sync = yes
workgroup = DOMAIN
os level = 20
security = user
syslog = 0
usershare allow guests = yes
panic action = /usr/share/samba/panic-action %d
max log size = 1000
pam password change = yes
client lanman auth = yes
Security
A bunch of guides out there suggest to set the security to be share based. I found that user based security offered many less headaches for me.
Also make sure that the folder containing home directories, for me it is /mnt/ARRAY/home, has its permissions set to 775. The sub folders can have tighter permissions, but it appears that samba requires the everyone bit set to 5 to actually allow users into their homes.
I realize that this is kind of a rag-tag post, but when you start working with Webmin and Samba you will realize its quite easy to get set up. I remember days of frustratingly reverting back to my original smb.conf and painful troubleshooting so hopefully this helps you get your shares set up for both windows and linux clients.