Samba

Samba 是用于 Linux 和 Unix的标准 Windows 互操作性程序套件。自 1992 年以来，Samba 为所有使用 SMB/CIFS 协议的客户端提供了安全、稳定和快速的文件和打印服务，例如所有版本的 DOS 和 Windows、OS/2、Linux 和许多其他系统。

要通过 Samba 共享文件，请参阅#服务器部分；要访问其他机器上通过 Samba 共享的文件，请参见#客户端部分。

服务器[编辑 | 编辑源代码]

安装[编辑 | 编辑源代码]

安装 samba^包 软件包。

Samba 服务的配置文件是 /etc/samba/smb.conf，smb.conf(5)提供了详细的文档。

samba^包 软件包没有提供此文件，启动 smb.service 前需要先创建这个文件。

从 Samba 的 Git 仓库可以获取到示例文件 smb.conf.default，可参考其配置 /etc/samba/smb.conf。

启用并启动服务[编辑 | 编辑源代码]

要通过 SMB 提供基础文件共享服务，请启用/启动 smb.service。详情请参考 smbd(8)。

如果你要让服务器可通过 NetBIOS 主机名访问，需在 smb.conf 中的 netbios name 选项配置目标名称，并启用/启动 nmb.service。详情请参考 smbd(8)。

使服务器可被发现[编辑 | 编辑源代码]

安装 avahi^包 软件包， 然后启用/启动 avahi-daemon.service 以通过 Zeroconf 使 Samba 服务器可被发现。这应当在多数非 Windows 文件管理器上可用（macOS Finder，Linux 和 BSD 上各种基于 GUI 的文件管理器，等等）。

如果 avahi-daemon.service 尚未运行，服务器仍可被访问，仅不可被发现。也就是说，它不会出现在文件管理器中，但你仍可直接通过 IP 或者域名连接它。

Windows 资源管理器单独依赖 WS-Directory 协议；参见 #Windows 1709 及更高版本无法在“网络”视图中发现 Samba 服务器。

配置防火墙[编辑 | 编辑源代码]

如果使用了 防火墙，请记得打开需要的端口（通常是 137-139 + 445）。完整列表请查看 Samba 所需端口。

UFW 规则[编辑 | 编辑源代码]

A Ufw App Profile for SMB/CIFS is included by default with the default installation of UFW in ufw-fileserver.

Allow Samba by running ufw allow CIFS as root.

If you deleted the profile, create/edit /etc/ufw/applications.d/samba and add the following content:

[Samba]
title=LanManager-like file and printer server for Unix
description=The Samba software suite is a collection of programs that implements the SMB/CIFS protocol for unix systems, allowing you to serve files and printers to Windows, NT, OS/2 and DOS clients. This protocol is sometimes also referred to as the LanManager or NetBIOS protocol.
ports=137,138/udp|139,445/tcp

Then load the profile into UFW run ufw app update Samba as root.

Then finally, allow Samba by running ufw allow Samba as root.

firewalld 服务[编辑 | 编辑源代码]

To configure firewalld to allow Samba in the home zone, run:

# firewall-cmd --permanent --add-service={samba,samba-client,samba-dc} --zone=home

The three services listed are:

• samba: for sharing files with others.
• samba-client: to browse shares on other machines on the network.
• samba-dc: for Samba/Active Directory domain controller.

--permanent ensures the changes remain after firewalld.service is restarted.

基础配置[编辑 | 编辑源代码]

用户管理[编辑 | 编辑源代码]

下列章节描述了如何创建本地（tdbsam）Samba 用户数据库。出于用户验证及其他用途，Samba 也可以被绑定到一个 Active Directory 域中，或是自己作为 Active Directory 域控制器，或者被用作 LDAP 服务器。

添加用户[编辑 | 编辑源代码]

Samba 需要 Linux 账户才能使用 - 可以使用已有账户或创建新用户。

虽然 Samba 和 Linux 系统共享用户名，但 Samba 使用单独的密码管理。将下面的 samba_user 替换为选择的 Samba 用户:

# smbpasswd -a samba_user

根据服务器角色的差异，可能需要为 Samba 用户账户修改已有的文件权限与属性。

要让新创建的用户仅能访问 Samba 远程文件服务器，可以禁用其它登录选项：

• 禁用 shell - usermod --shell /usr/bin/nologin --lock samba_user
• 禁用 SSH 登录 - 编辑 /etc/ssh/sshd_config 文件，修改 AllowUsers 选项

另请参阅安全一文来加固系统。

查询用户[编辑 | 编辑源代码]

使用 pdbedit(8) 命令查询现有用户：

# pdbedit -L -v

更改 samba 用户的密码[编辑 | 编辑源代码]

使用 smbpasswd 修改 samba 用户的密码：

# smbpasswd samba_user

创建匿名共享[编辑 | 编辑源代码]

1. 创建新 Linux 用户，匿名 Samba 用户将映射到该用户。

# useradd guest -s /bin/nologin

2. 在 /etc/samba/smb.conf 添加下列内容：

/etc/samba/smb.conf

...
[global]
security = user
map to guest = bad user
guest account = guest

[guest_share]
    comment = guest share
    path = /tmp/
    public = yes
    only guest = yes
    writable = yes
    printable = no

现在匿名用户将被映射到 Linux 用户 guest，并可以访问 guest_share.path 中定义的任何目录，在该例子中为 /tmp/。

请确保 Linux 用户 guest 拥有访问 guest_share.path 中文件的相应权限。

另外，请确保共享已正确按照 smb.conf.default 中的 Share Definitions 一节进行配置。

高级配置[编辑 | 编辑源代码]

Enable symlink following[编辑 | 编辑源代码]

/etc/samba/smb.conf

...
[global]
   follow symlinks = yes
   wide links = yes
   unix extensions = no

Then, restart smb.service.

为 macOS 客户端启用服务端复制[编辑 | 编辑源代码]

服务端复制使得在服务端复制文件时不需要在服务器及客户端间进行数据传输。该选项默认启用，但在 macOS 客户端下无效。如果你有 macOS 客户端，需要将下面的配置添加到 smb.conf，然后重启 smb.service。

/etc/samba/smb.conf

...
[global]
   fruit:copyfile = yes

启用 Usershare[编辑 | 编辑源代码]

Usershares 可以让不具有 root 权限的用户拥有进行添加、修改和删除自己的文件夹的操作权限。参见 smb.conf(5) § USERSHARES。

1. 为 usershares 创建目录：

   # mkdir /var/lib/samba/usershares

2. 创建一个 用户组：

   # groupadd -r sambashare

3. 将目录的所有者修改为 root，组修改为 sambashare：

   # chown root:sambashare /var/lib/samba/usershares

4. 修改 usershares 目录的权限，使 sambashare 组中的用户可以创建文件。该命令同时配置了 黏着位，防止用户删除其他用户的 usershares：

   # chmod 1770 /var/lib/samba/usershares

在 smb.conf 配置文件中设置如下配置：

/etc/samba/smb.conf

[global]
  usershare path = /var/lib/samba/usershares
  usershare max shares = 100
  usershare allow guests = yes
  usershare owner only = yes

将用户添加到 sambashare 组，将 your_username 替换为你用户的名称：

# gpasswd sambashare -a your_username

重启 smb.service 和 nmb.service 服务。

注销并重新登录。

如果你希望共享主目录下的路径，其必须允许 others 组的用户访问。

在 GUI 下，你可以使用 Thunar 或 Dolphin - 右键点击任何目录，然后通过网络共享。

在命令行下，使用下列任一命令，替换掉斜体的 sharename，user，...：

# net usershare add sharename abspath [comment] [user:{R|D|F}] [guest_ok={y|n}]
# net usershare delete sharename
# net usershare list wildcard-sharename
# net usershare info wildcard-sharename

设置并强制应用权限[编辑 | 编辑源代码]

权限可同时应用于服务器和共享：

/etc/samba/smb.conf

[global]
  ;inherit owner = unix only ; Inherit ownership of the parent directory for new files and directories
  ;inherit permissions = yes ; Inherit permissions of the parent directory for new files and directories
  create mask = 0664
  directory mask = 2755
  force create mode = 0644
  force directory mode = 2755
  ...

[media]
  comment = Media share accessible by greg and pcusers
  path = /path/to/media
  valid users = greg @pcusers
  force group = +pcusers
  public = no
  writable = yes
  create mask = 0664
  directory mask = 2775
  force create mode = 0664
  force directory mode = 2775

[public]
  comment = Public share where archie has write access
  path = /path/to/public
  public = yes
  read only = yes
  write list = archie
  printable = no

[guests]
  comment = Allow all users to read/write
  path = /path/to/guests
  public = yes
  only guest = yes
  writable = yes
  printable = no

参见 smb.conf(5) 查看完整的可用权限标志和设置。

限制协议以增强安全性[编辑 | 编辑源代码]

在 /etc/samba/smb.conf 中添加 server min protocol 和 server max protocol 以强制最低和最高可用协议版本；

/etc/samba/smb.conf

[global]
  server min protocol = SMB2_10
  ; server max protocol = SMB3

参见 smb.conf(5) 中的 server max protocol 部分以获取所支持协议的概述。

为了和旧版本的客户端和/或服务器兼容，你或许需要将 client min protocol 或 server min protocol 设置到旧一点的版本，但请注意你将更易于遭受攻击。

使用 mount.cifs 的客户端也许需要指定正确的 vers=*，例如：

# mount -t cifs //SERVER/sharename /mnt/mountpoint -o username=username,password=password,iocharset=utf8,vers=3.1.1

参见 mount.cifs(8) 获取更多信息.

使用原生 SMB 传输加密[编辑 | 编辑源代码]

原生 SMB 传输加密在 SMB 3.0 及更新版本可用。支持该类型加密的客户端包括 Windows 8 以及更新版本，Windows Server 2012 及更新版本，以及 Samba 4.1 及更新版本的 smbclient。

为了默认使用原生 SMB 传输加密，需全局和/或按共享设置 server smb encrypt 参数。可用的值有off，enabled（默认值），desired 或 required：

/etc/samba/smb.conf

[global]
  server smb encrypt = desired

To configure encryption for on the client side, use the option client smb encrypt.

参见 smb.conf(5) 获取更多信息，特别是 对 SMB1 的影响 和 对 SMB2 的影响 的段落。

禁用打印机共享[编辑 | 编辑源代码]

默认情况下 Samba 会共享由 CUPS 设置的打印机。

如果你不想打印机被共享，使用以下设置：

/etc/samba/smb.conf

[global]
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  show add printer wizard = no

防止 Samba 共享特定后缀的文件[编辑 | 编辑源代码]

Samba 提供了一个选项以屏蔽满足特定命名模式的文件，比如文件扩展名。该选项可用于防止病毒传播或阻止用户用特定的文件浪费空间。更多关于此选项的信息可在 smb.conf(5) 找到。

/etc/samba/smb.conf

...
[myshare]
  comment = Private
  path = /mnt/data
  read only = no
  veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/*.mp3/*.avi/*.mp4/*.wmv/*.wma/

提高吞吐量[编辑 | 编辑源代码]

默认设置应满足多数用户的用例。虽然正确配置 'socket options' 可以提升性能，但错误配置也会同比例降低性能。在进行大幅更改前请确保进行了测试。

在应用下列任何配置前请阅读 smb.conf(5) 文档。

下列设置需要附加到 /etc/samba/smb.conf 的 [global] 一节中。

设置 deadtime 可防止大量非活跃连接消耗系统资源：

deadtime = 30

sendfile 可能会更高效利用 CPU 资源，让 Samba 变得更快：

use sendfile = yes

配置最低 receivefile 大小可以利用零复制直接从网络套接字缓冲区写入到操作系统缓存（如果可用）。这一操作可能会提高性能，但建议用户进行测试：

min receivefile size = 16384

提高接收/发送缓存大小及配置套接字优化标志可能有助于提升吞吐量。由于在某些网络下可能会出现问题，建议对各个标志进行单独测试：

socket options = IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT SO_RCVBUF=131072 SO_SNDBUF=131072

Enable access for old clients/devices[编辑 | 编辑源代码]

Latest versions of Samba no longer offer older authentication methods and protocols which are still used by some older clients (IP cameras, etc). These devices usually require Samba server to allow NTMLv1 authentication and NT1 version of the protocol, known as CIFS. For these devices to work with latest Samba, you need to add these two configuration parameters into [global] section:

server min protocol = NT1
ntlm auth = yes

Anonymous/guest access to a share requires just the first parameter. If the old device will access with username and password, you also need the add the second line too.

Enable Spotlight searching[编辑 | 编辑源代码]

Spotlight allows supporting clients (e.g. MacOS Finder) to quickly search shared files.

Install and start/enable OpenSearch. Install fs2es-indexer^AUR, configure the directories you want to index in /etc/fs2es-indexer/config.yml, and start/enable fs2es-indexer.service for periodic indexing.

Edit smb.conf as described in the Samba wiki to enable Spotlight per share, and restart smb.service to apply the changes.

客户端配置[编辑 | 编辑源代码]

要使用类似 ftp 的命令行界面，请安装软件包 smbclient^包。常用命令请参考 smbclient(1)。

如需更轻量级的替代品（没有可用共享查询等功能），可安装 cifs-utils^包，其提供了 /usr/bin/mount.cifs。

部分桌面环境可能提供了图形界面，搭配文件管理器的用法请参考#文件管理器配置。

显示可用共享[编辑 | 编辑源代码]

下面命令会显示服务器上的可用共享:

$ smbclient -L hostname -U%

smbtree 可用显示共享目录树，不建议再有大量计算机的网络上使用此功能。可用它检查共享名是否可用。

另外，使用 $ smbtree -N 会以树状图显示所有可用共享，它使用了广播查询，因此不建议在有大量设备的网络中使用，但有助于检查共享名是否可用。使用 -N（-no-pass）选项可以忽略密码输入请求。

NetBIOS/WINS 主机名[编辑 | 编辑源代码]

Samba clients handle NetBIOS host names automatically by default (the behavior is controlled by the name resolve order option in smb.conf). Other programs (including mount.cifs) typically use Name Service Switch, which does not handle NetBIOS by default.

The smbclient^包 package provides a libnss driver to resolve NetBIOS host names. To use it, install it along with the samba^包 package (which provides the winbindd daemon), start/enable winbind.service and add wins to the hosts line in nsswitch.conf(5):

/etc/nsswitch.conf

...
hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns wins
...

Now, during host resolving (e.g. when using mount.cifs or just ping netbios-name), winbindd will resolve the host name by sending queries using NetBIOS Name Service (NBNS, also known as WINS) protocol.

By default it sends a broadcast query to your local network. If you have a WINS server, you can add wins server = wins-server-ip to smb.conf and restart winbind.service, then winbindd and other Samba clients will send unicast queries to the specified IP.

If you want to resolve your local host name (specified in the netbios name option in smb.conf), start/enable nmb.service, which will handle incoming queries.

You can test WINS resolution with nmblookup. By default it sends broadcast queries to your local network regardless of the wins server option.

Note that WINS resolution requires incoming traffic originating from port 137.

Disable NetBIOS/WINS support[编辑 | 编辑源代码]

When not using NetBIOS/WINS host name resolution, it may be preferred to disable this protocol:

/etc/samba/smb.conf

[global]
  disable netbios = yes
  dns proxy = no

Finally disable/stop winbind.service.

手动挂载[编辑 | 编辑源代码]

使用 mount.cifs 作为挂载类型 type，下面列出的选项并不是全部都需要：

# mount --mkdir -t cifs //SERVER/sharename /mnt/mountpoint -o username=username,password=password,workgroup=workgroup,iocharset=utf8,uid=username,gid=group

其中 uid 和 gid 对应了被授予特定路径读写权限的本地（例如客户端）用户/用户组。

使用 uid 和 gid 挂载选项时，请注意 文件权限，否则会出现 I/O 错误。}}

• SERVER — 服务器名称
• sharename — 共享目录
• mountpoint — 本地挂载点
• [-o options] — 详情请参考 {{man|8|mount.cifs}。

保存共享密码[编辑 | 编辑源代码]

不建议将密码保存在所有人都可读的文件中，一个更安全的方式是创建凭证文件，例如写入到 /etc/samba/credentials：

/etc/samba/credentials/share

username=myuser
password=mypass

将挂载命令中的 username=myuser,password=mypass 替换为 credentials=/etc/samba/credentials/share。

应仅根用户允许有凭证文件的读写权限：

# chown root:root /etc/samba/credentials
# chmod 700 /etc/samba/credentials
# chmod 600 /etc/samba/credentials/share

自动挂载[编辑 | 编辑源代码]

Using NetworkManager and GIO/gvfs[编辑 | 编辑源代码]

NetworkManager can be configured to run a script on network status change. This script uses the gio command so that it mounts the Samba shares automatically, the same way your file manager does, as explained below. The script also safely unmounts the Samba shares before the relevant network connection is disabled by listening for the pre-down and vpn-pre-down events. Make the script is executable after creating it.

/etc/NetworkManager/dispatcher.d/30-samba.sh

#!/bin/sh

# Find the connection UUID with "nmcli con show" in terminal.
# All NetworkManager connection types are supported: wireless, VPN, wired...
WANTED_CON_UUID="CHANGE-ME-NOW-9c7eff15-010a-4b1c-a786-9b4efa218ba9"

# The user the share will be mounted under
USER="yourusername"
# The path that appears in your file manager when you manually mount the share you want
SMB_URL="smb://servername/share"

# Get runtime user directory. If it does not exist, do nothing and just exit
XDG_RUNTIME_DIR=$(loginctl show-user --property=RuntimePath --value "$USER") || exit 0

if [ "$CONNECTION_UUID" = "$WANTED_CON_UUID" ]; then
    
    # Script parameter $1: network interface name, not used
    # Script parameter $2: dispatched event
    
    case "$2" in
        "up"|"vpn-up")
            su $USER -c "DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_RUNTIME_DIR/bus gio mount $SMB_URL"
            ;;
        "pre-down"|"vpn-pre-down")
            su $USER -c "DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_RUNTIME_DIR/bus gio mount -uf $SMB_URL"
            ;;
    esac
fi

Create a symlink inside /etc/NetworkManager/dispatcher.d/pre-down to catch the pre-down events:

# ln -s /etc/NetworkManager/dispatcher.d/30-samba.sh /etc/NetworkManager/dispatcher.d/pre-down.d/30-samba.sh

作为挂载路径[编辑 | 编辑源代码]

This is a simple example of a cifs mount entry that requires authentication:

/etc/fstab

//SERVER/sharename /mnt/mountpoint cifs _netdev,nofail,username=myuser,password=mypass 0 0

作为 systemd 单元[编辑 | 编辑源代码]

在 /etc/systemd/system 下创建一个新的 .mount 文件，例如：mnt-myshare.mount。详细信息请查看 systemd.mount(5)。

What= 要使用的共享路径

Where= 将共享挂载到的位置

Options= 共享挂载选项

/etc/systemd/system/mnt-myshare.mount

[Unit]
Description=Mount Share at boot

[Mount]
What=//server/share
Where=/mnt/myshare
Options=_netdev,credentials=/etc/samba/credentials/myshare,iocharset=utf8,rw
Type=cifs
TimeoutSec=30

[Install]
WantedBy=multi-user.target

要使用 mnt-myshare.mount，需启动该单元，然后通过启用使其在系统启动时运行。

自动化挂载[编辑 | 编辑源代码]

可以使用如下单元来在访问时自动挂载共享（类似 autofs）：

/etc/systemd/system/mnt-myshare.automount

[Unit]
Description=Automount myshare

[Automount]
Where=/mnt/myshare

[Install]
WantedBy=multi-user.target

禁用/停止 mnt-myshare.mount，然后启用/启动 mnt-myshare.automount 来在访问挂载路径时自动挂载共享。

smbnetfs[编辑 | 编辑源代码]

First, check if you can see all the shares you are interested in mounting:

$ smbtree -U remote_user

If that does not work, find and modify the following line in /etc/samba/smb.conf accordingly:

domain master = auto

Now restart smb.service and nmb.service.

If everything works as expected, install smbnetfs^包.

Then, add the following line to /etc/fuse.conf:

user_allow_other

Now copy the directory /etc/smbnetfs/.smb to your home directory:

$ cp -a /etc/smbnetfs/.smb ~

Then create a link to smb.conf:

$ ln -sf /etc/samba/smb.conf ~/.smb/smb.conf

If a username and a password are required to access some of the shared folders, edit ~/.smb/smbnetfs.auth to include one or more entries like this:

~/.smb/smbnetfs.auth

auth			"hostname" "username" "password"

It is also possible to add entries for specific hosts to be mounted by smbnetfs, if necessary. More details can be found in ~/.smb/smbnetfs.conf.

If you are using the Dolphin or GNOME Files, you may want to add the following to ~/.smb/smbnetfs.conf to avoid "Disk full" errors as smbnetfs by default will report 0 bytes of free space:

~/.smb/smbnetfs.conf

free_space_size 1073741824

When you are done with the configuration, you need to run

$ chmod 600 ~/.smb/smbnetfs.*

Otherwise, smbnetfs complains about 'insecure config file permissions'.

Finally, to mount your Samba network neighbourhood to a directory of your choice, call

$ smbnetfs mount_point

Daemon[编辑 | 编辑源代码]

The Arch Linux package also maintains an additional system-wide operation mode for smbnetfs. To enable it, you need to make the said modifications in the directory /etc/smbnetfs/.smb.

Then, you can start and/or enable the smbnetfs daemon as usual. The system-wide mount point is at /mnt/smbnet/.

autofs[编辑 | 编辑源代码]

See Autofs for information on the kernel-based automounter for Linux.

文件管理器配置[编辑 | 编辑源代码]

GNOME Files、Nemo、Caja、Thunar 和 PCManFM[编辑 | 编辑源代码]

为了通过 GNOME Files，Nemo，Caja，Thunar 或 PCManFM 访问 samba 共享，需安装 gvfs-smb^包 软件包。

按 Ctrl+l 然后在地址栏输入 smb://servername/share 以访问您的共享。

共享很可能挂载到了文件系统中的 /run/user/your_UID/gvfs 或 ~/.gvfs 位置下。

KDE[编辑 | 编辑源代码]

KDE 有内建的浏览 Samba 共享的能力。为了使用 KDE 系统设置的 GUI，你需要安装 kdenetwork-filesharing^包 软件包。

KDE 应用（例如 Dolphin）自带 Samba 共享浏览功能。在地址栏输入 smb://servername/share就可以浏览文件。如果你想在非 KDE 应用访问文件，可以安装 kio-fuse^包。

To use a GUI in the KDE System Settings, you will need to install the kdenetwork-filesharing^包 package.

其它图形环境[编辑 | 编辑源代码]

There are a number of useful programs, but they may need to have packages created for them. This can be done with the Arch package build system. The good thing about these others is that they do not require a particular environment to be installed to support them, and so they bring along less baggage.

• pyneighborhood^AUR
• LinNeighborhood, RUmba, xffm-samba plugin for Xffm are not available in the official repositories or the AUR. As they are not officially (or even unofficially supported), they may be obsolete and may not work at all.

提示与技巧[编辑 | 编辑源代码]

Discovering network shares[编辑 | 编辑源代码]

If nothing is known about other systems on the local network, and automated tools such as smbnetfs are not available, you can manually probe for Samba shares.

First, install the nmap^包 and smbclient^包 packages.

Use nmap to scan your local network to find systems with TCP port 445 open, which is the port used by the SMB protocol. Note that you may need to use -Pn or set a custom ping scan type (e.g. -PS445) because Windows systems are usually firewalled.

$ nmap -p 445 "192.168.1.*"

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-13 12:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).

PORT    STATE  SERVICE
445/tcp open  microsoft-ds

Nmap scan report for 192.168.1.2
Host is up (0.00011s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Nmap done: 256 IP addresses (2 hosts up) scanned in 2.45 seconds

The first result is another system; the second happens to be the client from where this scan was performed.

Now you can connect to their IP addresses directly, but if you want to use NetBIOS host names, you can use nmblookup(1) to check for NetBIOS names. Note that this will not work if NetBIOS is disabled on the server.

$ nmblookup -A 192.168.1.1

Looking up status of 192.168.1.1
        PUTER           <00> -         B <ACTIVE>
        HOMENET         <00> - <GROUP> B <ACTIVE>
        PUTER           <03> -         B <ACTIVE>
        PUTER           <20> -         B <ACTIVE>
        HOMENET         <1e> - <GROUP> B <ACTIVE>
        USERNAME        <03> -         B <ACTIVE>
        HOMENET         <1d> -         B <ACTIVE>
        MSBROWSE        <01> - <GROUP> B <ACTIVE>

Regardless of the output, look for <20>, which shows the host with open services.

Use smbclient(1) to list which services are shared on these systems. You can use NetBIOS host name (PUTER in this example) instead of IP when available. If prompted for a password, pressing enter should still display the list:

$ smbclient -L \\192.168.1.1

Sharename       Type      Comment
---------       ----      -------
MY_MUSIC        Disk
SHAREDDOCS      Disk
PRINTER$        Disk
PRINTER         Printer
IPC$            IPC       Remote Inter Process Communication

Server               Comment
---------            -------
PUTER

Workgroup            Master
---------            -------
HOMENET               PUTER

Remote control of Windows computer[编辑 | 编辑源代码]

Samba offers a set of tools for communication with Windows. These can be handy if access to a Windows computer through remote desktop is not an option, as shown by some examples.

Send shutdown command with a comment:

$ net rpc shutdown -C "comment" -I IPADDRESS -U USERNAME%PASSWORD

A forced shutdown instead can be invoked by changing -C with comment to a single -f. For a restart, only add -r, followed by a -C or -f.

Stop and start services:

$ net rpc service stop SERVICENAME -I IPADDRESS -U USERNAME%PASSWORD

To see all possible net rpc command:

$ net rpc

疑难解答[编辑 | 编辑源代码]

启动 Samba SMB/CIFS 服务器失败[编辑 | 编辑源代码]

可能的解决方法：

• 通过 testparm(1) 检查 smb.conf 中的配置问题。
• 在 /var/cache/samba/ 中配置正确的权限，然后重启 smb.service：

# chmod 0755 /var/cache/samba/msg

SELinux 权限问题[编辑 | 编辑源代码]

SELinux 默认不允许 samba 访问用户的主目录。要解决此问题，执行：

# setsebool -P samba_enable_home_dirs 1

类似地，samba_export_all_ro 和 samba_export_all_rw 使 Samba 拥有读取或“读和写”所有文件的能力。

AppArmor 权限问题[编辑 | 编辑源代码]

如果使用了一个在家目录或用户共享目录之外的共享路径，请在 /etc/apparmor.d/local/usr.sbin.smbd 中将其加入白名单。例如：

/etc/apparmor.d/local/usr.sbin.smbd

"/data/" rk,
"/data/**" lrwk,

No dialect specified on mount[编辑 | 编辑源代码]

The client is using an unsupported SMB/CIFS version that is required by the server.

See #Restrict protocols for better security for more information.

Unable to overwrite files, permissions errors[编辑 | 编辑源代码]

Possible solutions:

• Append the mount option nodfs to the /etc/fstab entry.
• Add msdfs root = no to the [global] section of the server's /etc/samba/smb.conf.

Windows clients keep asking for password even if Samba shares are created with guest permissions[编辑 | 编辑源代码]

Set map to guest inside the global section of /etc/samba/smb.conf:

map to guest = Bad Password

If you are still using Samba < 4.10.10, use Bad User instead of Bad Password.

Windows 10 1709 和更高版本的连接性问题 - "Windows cannot access" 0x80004005[编辑 | 编辑源代码]

This error affects some machines running Windows 10 version 1709 and later. It is not related to SMB1 being disabled in this version but to the fact that Microsoft disabled insecure logons for guests on this version for some, but not others.

To fix, open Group Policy Editor (gpedit.msc). Navigate to Computer configuration\administrative templates\network\Lanman Workstation > Enable insecure guest logons and enable it. Alternatively,change the following value in the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters]
"AllowInsecureGuestAuth"=dword:1

Error: Failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL[编辑 | 编辑源代码]

If you are a home user and using samba purely for file sharing from a server or NAS, you are probably not interested in sharing printers through it. If so, you can prevent this error from occurring by adding the following lines to your /etc/samba/smb.conf:

/etc/samba/smb.conf

[global]
  load printers = No
  printing = bsd
  printcap name = /dev/null
  disable spoolss = Yes

Restart the samba service, smb.service, and then check your logs:

# cat /var/log/samba/smbd.log

and the error should now no longer be appearing.

Sharing a folder fails[编辑 | 编辑源代码]

It means that while you are sharing a folder from Dolphin (file manager) and everything seems ok at first, after restarting Dolphin the share icon is gone from the shared folder, and also some output like this in terminal (Konsole) output:

‘net usershare’ returned error 255: net usershare: usershares are currently disabled

To fix it, enable usershare as described in #启用 Usershares.

"Browsing" network fails with "Failed to retrieve share list from server"[编辑 | 编辑源代码]

And you are using a firewall (iptables) because you do not trust your local (school, university, hotel) network. This may be due to the following: When the smbclient is browsing the local network it sends out a broadcast request on udp port 137. The servers on the network then reply to your client but as the source address of this reply is different from the destination address iptables saw when sending the request for the listing out, iptables will not recognize the reply as being "ESTABLISHED" or "RELATED", and hence the packet is dropped. A possible solution is to add:

iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns

to your iptables setup.

For Uncomplicated Firewall, you need to add nf_conntrack_netbios_ns to the end of the following line in /etc/default/ufw

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc"

and then run the following commands as root:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
ufw allow CIFS
ufw reload

To make this change persistent across reboots, add the following line at the end of /etc/ufw/sysctl.conf:

net.netfilter.nf_conntrack_helper=1

Protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE[编辑 | 编辑源代码]

The client probably does not have access to shares. Make sure clients' IP address is in hosts allow = line in /etc/samba/smb.conf.

Another problem could be, that the client uses an invalid protocol version. To check this try to connect with the smbclient where you specify the maximum protocol version manually:

$ smbclient -U <user name> -L //<server name> -m <protocol version: e. g. SMB2> -W <domain name>

If the command was successful then create a configuration file:

~/.smb/smb.conf

[global]
  workgroup = <domain name>
  client max protocol = SMB2

Connection to SERVER failed: (Error NT_STATUS_UNSUCCESSFUL)[编辑 | 编辑源代码]

You are probably passing a wrong server name to smbclient. To find out the server name, run hostnamectl on the server and look at "Transient hostname" line

Connection to SERVER failed: (Error NT_STATUS_CONNECTION_REFUSED)[编辑 | 编辑源代码]

Make sure that the server has started. The shared directories should exist and be accessible.

Protocol negotiation failed: NT_STATUS_CONNECTION_RESET[编辑 | 编辑源代码]

Probably the server is configured not to accept protocol SMB1. Add option client max protocol = SMB2 in /etc/samba/smb.conf. Or just pass argument -m SMB2 to smbclient.

Password Error when correct credentials are given (error 1326)[编辑 | 编辑源代码]

Samba 4.5 has NTLMv1 authentication disabled by default. It is recommend to install the latest available upgrades on clients and deny access for unsupported clients.

If you still need support for very old clients without NTLMv2 support (e.g. Windows XP), it is possible force enable NTLMv1, although this is not recommend for security reasons:

/etc/samba/smb.conf

[global]
  lanman auth = yes
  ntlm auth = yes

If NTLMv2 clients are unable to authenticate when NTLMv1 has been enabled, create the following file on the client:

/home/user/.smb/smb.conf

[global]
  sec = ntlmv2
  client ntlmv2 auth = yes

This change also affects samba shares mounted with mount.cifs. If after upgrade to Samba 4.5 your mount fails, add the sec=ntlmssp option to your mount command, e.g.

mount.cifs //server/share /mnt/point -o sec=ntlmssp,...

See the mount.cifs(8) man page: ntlmssp - Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message. The default in mainline kernel versions prior to v3.8 was sec=ntlm. In v3.8, the default was changed to sec=ntlmssp.

Mapping reserved Windows characters[编辑 | 编辑源代码]

Starting with kernel 3.18, the cifs module uses the "mapposix" option by default. When mounting a share using unix extensions and a default Samba configuration, files and directories containing one of the seven reserved Windows characters : \ * < > ? are listed but cannot be accessed.

Possible solutions are:

• Use the undocumented nomapposix mount option for cifs

# mount.cifs //server/share /mnt/point -o nomapposix

• Configure Samba to remap mapposix ("SFM", Services for Mac) style characters to the correct native ones using fruit

/etc/samba/smb.conf

[global]
  vfs objects = catia fruit
  fruit:encoding = native

• Manually remap forbidden characters using catia

/etc/samba/smb.conf

[global]
  vfs objects = catia
  catia:mappings = 0x22:0xf022, 0x2a:0xf02a, 0x2f:0xf02f, 0x3a:0xf03a, 0x3c:0xf03c, 0x3e:0xf03e, 0x3f:0xf03f, 0x5c:0xf05c, 0x7c:0xf07c, 0x20:0xf020

The latter approach (using catia or fruit) has the drawback of filtering files with unprintable characters.

Folder shared inside graphical environment is not available to guests[编辑 | 编辑源代码]

This section presupposes:

1. Usershares are configured following previous section
2. A shared folder has been created as a non-root user from GUI
3. Guests access has been set to shared folder during creation
4. Samba service has been restarted at least once since last /etc/samba/smb.conf file modification

For clarification purpose only, in the following sub-sections is assumed:

• Shared folder is located inside user home directory path (/home/yourUser/Shared)
• Shared folder name is MySharedFiles
• Guest access is read-only.
• Windows users will access shared folder content without login prompt

Verify correct samba configuration[编辑 | 编辑源代码]

Run the following command from a terminal to test configuration file correctness:

$ testparm

Verify correct shared folder creation[编辑 | 编辑源代码]

Run the following commands from a terminal:

$ cd /var/lib/samba/usershares
$ ls

If everything is fine, you will notice a file named mysharedfiles

Read the file contents using the following command:

$ cat mysharedfiles

The terminal output should display something like this:

/var/lib/samba/usershares/mysharedfiles

path=/home/yourUser/Shared
comment=
usershare_acl=S-1-1-0:r
guest_ok=y
sharename=MySharedFiles

Verify folder access by guest[编辑 | 编辑源代码]

Run the following command from a terminal. If prompted for a password, just press Enter:

$ smbclient -L localhost

If everything is fine, MySharedFiles should be displayed under Sharename column

Run the following command in order to access the shared folder as guest (anonymous login)

$ smbclient -N //localhost/MySharedFiles

If everything is fine samba client prompt will be displayed:

smb: \>

From samba prompt verify guest can list directory contents:

smb: \> ls

If the NTFS_STATUS_ACCESS_DENIED error is displayed, the issue is likely to be with Unix directory permissions. Ensure that your samba user has access to the folder and all parent folders. You can test this by sudoing to the user and attempting to list the mount directory, and all of its parents.

Mount error: Host is down[编辑 | 编辑源代码]

This error might be seen when mounting shares of Synology NAS servers. Use the mount option vers=1.0 to solve it.

Template:主要

Software caused connection abort[编辑 | 编辑源代码]

File managers that utilizes gvfs-smb^包 can show the error Software caused connection abort when writing a file to a share/server. This may be due to the server running SMB/CIFS version 1, which many routers use for USB drive sharing (e.g. Belkin routers). To write to these shares specify the CIFS version with the option vers=1.0. E.g.:

/etc/fstab

//SERVER/sharename /mnt/mountpoint cifs _netdev,guest,file_mode=0777,dir_mode=0777,vers=1.0 0 0

This can also happen after updating Samba to version 4.11, which deactivates SMB1 as default, and accessing any Samba share. You can reenable it by adding

/etc/samba/smb.conf

[global]
client min protocol = CORE

Connection problem (due to authentification error)[编辑 | 编辑源代码]

Be sure that you do not leave any space characters before your username in Samba client configuration file as follows:

~/.samba

username= user
password=pass

The correct format is:

~/.samba

username=user
password=pass

Windows 1709 及更高版本无法在“网络”视图中发现 Samba 服务器[编辑 | 编辑源代码]

随着 Windows 10 1511 版本的推出，对 SMBv1 的支持以及由此的 NetBIOS 设备发现被默认禁用。根据实际版本不同，从1709版本（"秋季创意者更新"）开始的 Windows 版本不允许再安装 SMBv1 客户端。这导致运行 Samba 的主机无法在资源管理器的“网络（网上邻居）”视图中被列出。虽然并无连接问题，而且 Samba 仍然可以正常运行，但用户可能想让他们的 Samba 主机被 Windows 自动列出。wsdd^AUR 实现了一个 Web Service Discovery 宿主守护进程。这使得（Samba）主机，比方说你的本地 NAS 设备，能够被像 Windows 这样的 Web Service Discovery 客户端找到。默认设置应该适用于大多数用例，你要做的就是启用 wsdd.service。

默认配置（在组 "WORKGROUP "中使用机器主机名公示自己）应适用于绝大多数情况。如果有需要，你可以通过在 /etc/conf.d/wsdd 中添加额外的参数来改变配置选项（详见wsdd的手册页）。

wsdd2^AUR 的功能相同，但它是用 C 语言而不是 Python 编写的。默认情况下，它将在 smb.conf 中寻找 netbios name 和 workgroup 值。

GNOME Files not showing Windows machines (version 1709 or up) with shared folders in Network view[编辑 | 编辑源代码]

See GNOME/Files#Windows machines (version 1709 or up) with shared folders don't show up in Network view.

iOS/iPadOS Files can no longer copy-to Samba share on Arch Linux beginning with iOS/iPadOS 14.5[编辑 | 编辑源代码]

Beginning with iOS/iPadOS 14.5 attempting to transfer from a device running iOS/iPadOS using the "Files" app to a samba share on Arch Linux will result in the error:

The operation couldn't be completed
Operation canceled

To correct this problem, add add the following to the global section of your smb.conf and restart smb.service. Comment optional:

## addition for iOS/iPadOS 14.5+ Files transfer-to server
vfs object = fruit streams_xattr

See https://apple.stackexchange.com/q/424681 Apple.Stackexchange.com - "The operation couldn't be completed"/"Operation canceled" error message when saving to a Samba share via Files app.

Slow initial connections from certain clients without other performance problems[编辑 | 编辑源代码]

Some SMB clients, such as Solid Explorer for Android, take significantly longer to connect to Samba if they fail to resolve the NetBIOS name. Enabling nmb.service will greatly speed up initial connections if this is the case. Since this is a bug in the client software, please report such cases to the authors of conflicting software.

更多参考[编辑 | 编辑源代码]

• 官方网站
• Samba: An Introduction
• Samba 3.2.x HOWTO and Reference Guide（已过时，但仍是最详细的文档）
• 维基百科
• Gentoo:Samba/Guide
• Debian:Samba/ServerSimple
• KSMBD - A linux kernel server which implements SMB3 protocol in kernel space for sharing files over network.