Samba
Samba 是用于Linux和Unix的标准Windows互操作性程序套件。自1992年以来,Samba为所有使用 SMB/CIFS 协议的客户提供了安全、稳定和快速的文件和打印服务,例如所有版本的DOS和Windows、OS/2、Linux和许多其他系统。
要通过Samba共享文件,请参阅#服务器部分;要访问其他机器上通过Samba共享的文件,请参见#客户端部分。
服务器[编辑 | 编辑源代码]
安装[编辑 | 编辑源代码]
Samba 服务的配置文件是 /etc/samba/smb.conf
,smb.conf(5)提供了详细的文档。
samba包 软件包没有提供此文件,启动 smb.service
前需要先创建这个文件。从 Samba 的 Git 仓库 可以获取到示例文件smb.conf.default
。
- 从上面获取的默认配置文件里把日志
log file
设置到一个不能写的地方,,这会引起错误。下面的办法可以解决这个问题:- 把日志文件放到可写的路径:
log file = /var/log/samba/%m.log
- 把日志存到非文件后端的解决方案里:
logging = syslog
配合syslog only = yes
,或者使用logging = systemd
- 把日志文件放到可写的路径:
- 如果需要的话;在
[global]
部份中指定的workgroup
需要对应 Windows 工作组的名称 (默认是WORKGROUP
)。
smb.conf
文件后,运行 testparm(1) 命令看看有没有语法错误。配置防火墙[编辑 | 编辑源代码]
如果使用了 防火墙,请记得打开需要的端口(通常是 137-139 + 445). 完整列表请查看 Samba 端口使用。
使服务器可被发现[编辑 | 编辑源代码]
安装 avahi包 软件包, 然后启用/启动 avahi-daemon.service
以通过 Zeroconf 使 Samba 服务器可被发现。这应当在多数非 Windows 文件管理器上可用(macOS Finder,Linux 和 BSD 上各种基于GUI的文件管理器,等等)。
如果avahi-daemon.service
尚未运行,服务器仍可被访问,仅不可被发现,也就是说,它不会出现在文件管理器中,但你仍可直接通过 IP 或者域名连接它。
Windows 资源管理器依赖 WS-Directory 协议而非此;参见 #Windows 1709 及更高版本无法在“网络”视图中发现 Samba 服务器。
用户管理[编辑 | 编辑源代码]
添加用户[编辑 | 编辑源代码]
Samba 需要 Linux 账户才能使用 - 可以使用已有账户或 创建新用户.
虽然用户名可以和 Linux 系统共享,Samba 使用单独的密码管理,将下面的 samba_user
替换为选择的 Samba 用户:
# smbpasswd -a samba_user
根据 服务器角色 的差异,可能需要修改已有的 文件权限和属性。
要让新创建的用户仅能访问 Samba 远程文件服务器,可以禁用其它登录选项
- 禁用 shell -
usermod --shell /usr/bin/nologin --lock samba_user
- 禁用 SSH logons - /etc/ssh/sshd_config, option
AllowUsers
参阅 Security。
查询用户[编辑 | 编辑源代码]
用 pdbedit(8) 命令查询现有用户:
# pdbedit -L -v
更改 samba 用户的密码[编辑 | 编辑源代码]
用 smbpasswd
修改 samba 用户的密码:
# smbpasswd samba_user
创建共享[编辑 | 编辑源代码]
map to guest = Bad User
in the [global]
section of /etc/samba/smb.conf
. A different guest account
may be used instead of the default provided nobody
.请确保 smb.conf.default 的 Share Definitions 部分正确设置了共享。
启动服务[编辑 | 编辑源代码]
为了能够使用 SMB 进行基本的文件共享,start/enable smb.service
和 nmb.service
服务。更多信息参阅 smbd 和 nmbd 的 man 手册。
nmb.service
并不总是需要启用。
smbd.socket
,禁用 smb.service
。这样的话会在第一次收到连接请求是启动后台进程。高级配置[编辑 | 编辑源代码]
[编辑 | 编辑源代码]
Usershares 让不具有 root 权限的用户可以进行添加、修改和删除自己的文件夹的操作。参见 samba.conf(5) § USERSHARES。
以下操作将会在 /var/lib/samba
添加 usershares 目录:
# mkdir /var/lib/samba/usershares
以下操作将会建立 sambashare 用户组:
# groupadd sambashare
以下操作将会将刚刚建立的文件夹的权限:拥有者更改为 root,群组更改为 sambashare:
# chown root:sambashare /var/lib/samba/usershares
以下的操作将会让 sambashare 群组中的用户拥有读取,写入和执行此文件夹中内容的权限:
# chmod 1770 /var/lib/samba/usershares
修改 smb.conf
配置文件中的以下变量:
/etc/samba/smb.conf
... [global] usershare path = /var/lib/samba/usershares usershare max shares = 100 usershare allow guests = yes usershare owner only = yes ...
将用户添加到群组 sambashare 中。其中,替换 your_username
为实际的用户名:
# usermod -a -G sambashare your_username
重启 smb.service
和 nmb.service
服务。
注销后重新登陆,此时您应该就可以使用 GUI 程序配置您的 samba 共享服务了。例如,在 Thunar 中您可以右键点击任何一个文件夹将它在局域网中共享。如果你想共享自己主目录内的路径,需要主目录的内容让其它用户可以列出。
在命令行中,请使用下面命令,替换掉 sharename, user, ... :
# net usershare add sharename abspath [comment] [user:{R|D|F}] [guest_ok={y|n}] # net usershare delete sharename # net usershare list wildcard-sharename # net usershare info wildcard-sharename
设置/强制设置权限[编辑 | 编辑源代码]
权限可同时应用于服务器和共享:
/etc/samba/smb.conf
[global] ;inherit owner = unix only ; Inherit ownership of the parent directory for new files and directories ;inherit permissions = yes ; Inherit permissions of the parent directory for new files and directories create mask = 0664 directory mask = 2755 force create mode = 0644 force directory mode = 2755 ... [media] comment = Media share accessible by greg and pcusers path = /path/to/media valid users = greg @pcusers force group = +pcusers public = no writable = yes create mask = 0664 directory mask = 2775 force create mode = 0664 force directory mode = 2775 [public] comment = Public share where archie has write access path = /path/to/public public = yes read only = yes write list = archie printable = no [guests] comment = Allow all users to read/write path = /path/to/guests public = yes only guest = yes writable = yes printable = no
参见 smb.conf(5) 查看完整的可用权限标志和设置。
限制协议以增强安全性[编辑 | 编辑源代码]
server min protocol = SMB2_02
以保护自己免遭勒索软件攻击。在Samba 4.11及更新版本,SMB2已是默认最低协议,因此不再需要此更改。在 /etc/samba/smb.conf
中加入 server min protocol
和 server max protocol
以强制使用最小和最大版本协议;
/etc/samba/smb.conf
[global] server min protocol = SMB2_02 ; server max protocol = SMB3
参见 smb.conf(5) 中的server max protocol
部分以获取所支持协议的概述。
为了和旧版本的客户端和/或服务器兼容,你或许需要设置 client min protocol = CORE
或 server min protocol = CORE
,但请注意这将会使你易于遭受利用SMB1的攻击,包括勒索软件攻击。
server min protocol = SMB3_00
,例如,Windows 8 及之后版本。使用 mount.cifs
的客户端也许需要指定正确的 vers=*
,例如:
# mount -t cifs //SERVER/sharename /mnt/mountpoint -o username=username,password=password,iocharset=utf8,vers=3.1.1
参见 mount.cifs(8) 获取更多信息.
使用原生 SMB 传输加密[编辑 | 编辑源代码]
原生 SMB 传输加密在 SMB 3.0 及更新版本可用。支持该类型加密的客户端包括 Windows 8 以及更新版本,Windows Server 2012 及更新版本,以及 Samba 4.1 及更新版本的 smbclient。
为了默认使用原生 SMB 传输加密,全局和/或按共享设置 smb encrypt
参数。可能的值有off
, enabled
(默认值), desired
, 或 required
:
/etc/samba/smb.conf
[global] smb encrypt = desired
参见 smb.conf(5) 获取更多信息,特别是 对 SMB1 的影响 和 对 SMB2 的影响 的段落。
seal
挂载选项以强制使用加密。禁用打印机共享[编辑 | 编辑源代码]
默认情况下 Samba 共享由 CUPS 设置的打印机。
如果你不想打印机被共享,使用以下设置:
/etc/samba/smb.conf
[global] load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes show add printer wizard = no
封锁 Samba 共享中的特定文件后缀[编辑 | 编辑源代码]
Samba 提供了一个选项以封锁特定模式的文件,比如文件扩展名。该选项可用于防止病毒传播或阻止用户用特定的文件浪费空间。更多关于此选项的信息可在 smb.conf(5) 找到。
/etc/samba/smb.conf
... [myshare] comment = Private path = /mnt/data read only = no veto files = /*.exe/*.com/*.dll/*.bat/*.vbs/*.tmp/*.mp3/*.avi/*.mp4/*.wmv/*.wma/
Improve throughput[编辑 | 编辑源代码]
The default settings should be sufficient for most users. However setting the 'socket options' correct can improve performance, but getting them wrong can degrade it by just as much. Test the effect before making any large changes.
Read the smb.conf(5) man page before applying any of the options listed below.
The following settings should be append to the [global]
section of /etc/samba/smb.conf
.
SMB3 multi-channel may improve performance, however it may result in data corruption under some race conditions. Future releases may improve this situation:
server multi channel support = yes
Setting a deadtime is useful to stop a server's resources being exhausted by a large number of inactive connections:
deadtime = 30
The usage of sendfile may make more efficient use of the system CPU's and cause Samba to be faster:
use sendfile = yes
The write cache allows Samba to batch client writes into a more efficient write size for RAID disks (i.e. writes may be tuned to be the RAID stripe size) and can improve performance on systems where the disk subsystem is a bottleneck but there is free memory for userspace programs:
write cache size = 262144
Setting min receivefile size allows zero-copy writes directly from network socket buffers into the filesystem buffer cache (if available). It may improve performance but user testing is recommended:
min receivefile size = 16384
Reading/writing files asynchronously may improve performance instead of using synchronously writes:
aio read size = 1 aio write size = 1
Increasing the receive/send buffers size and socket optimize flags might be useful to improve throughput. It is recommended to test each flag separately as it may cause issues on some networks:
socket options = IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT SO_RCVBUF=131072 SO_SNDBUF=131072
客户端配置[编辑 | 编辑源代码]
如果不需要查询公开的共享,可以安装轻量级的 cifs-utils包 软件包,使用 /usr/bin/mount.cifs
命令挂载共享.
要使用类似 ftp 的命令行界面,请安装软件包 smbclient包。常用命令请参考 smbclient(1)。
显示可用共享[编辑 | 编辑源代码]
下面命令会显示服务器上的可用共享:
$ smbclient -L hostname -U%
smbtree 可用显示共享目录树,不建议再有大量计算机的网络上使用此功能。可用它检查共享名是否可用。
$ smbtree -b -N
-b
(--broadcast
) 使用广播模式,-N
(-no-pass
) 不询问密码.
WINS 主机名[编辑 | 编辑源代码]
smbclient包 提供了一个用 WINS 解析主机名的驱动,要启用它,将 “wins” 添加到 /etc/nsswitch.conf
的 “hosts” 行。
手动挂载[编辑 | 编辑源代码]
创建共享挂载点:
# mkdir /mnt/mountpoint
使用 mount.cifs
作为挂载类型 type
,下面列出的选项并不是全部都需要:
# mount -t cifs //SERVER/sharename /mnt/mountpoint -o user=username,password=password,uid=username,gid=group,workgroup=workgroup,ip=serverip,iocharset=utf8
要允许用户挂载到自己可以访问的目录,请使用 users
挂载选项。
使用 uid
和 gid
挂载选项时,请注意 文件权限,否则会出现 I/O 错误。}}
SERVER
- 服务器名.
sharename
- 共享目录.
mountpoint
- 本地的挂载点.
-o [options]
- 详情请参考 mount.cifs(8).
- 结尾不要加
/
.//SERVER/sharename/
无法工作. - 如果挂载工作不稳定,出现死机和掉线问题,请尝试用
vers=
设置不同的 SMB 协议版本。例如, 挂载 Vista 用vers=2.0
. - 如果挂载了 cifs 机器上出现关机超时,请参考 wpa_supplicant#Problem with mounted network shares (cifs) and shutdown.
保存共享密码[编辑 | 编辑源代码]
不建议将密码保存在所有人都可读的文件中,一个更安全的方式是创建密码文件:
/path/to/credentials/share
username=myuser password=mypass
将 username=myuser,password=mypass
替换为 credentials=/path/to/credentials/share
.
修改密码文件的权限:
# chmod 600 /path/to/credentials/share
自动挂载[编辑 | 编辑源代码]
systemd-networkd-wait-online.service
or NetworkManager-wait-online.service
(depending on your setup) to proper enable booting on start-up.作为挂载路径[编辑 | 编辑源代码]
This is a simple example of a cifs
mount entry that requires authentication:
/etc/fstab
//SERVER/sharename /mnt/mountpoint cifs _netdev,username=myuser,password=mypass 0 0
\040
(ASCII code for space in octal). For example, //SERVER/share name
on the command line should be //SERVER/share\040name
in /etc/fstab
.x-systemd.automount
if you want them to be mounted only upon access. See Fstab#Remote file system for details.作为系统单元[编辑 | 编辑源代码]
Create a new .mount
file inside /etc/systemd/system
, e.g. mnt-myshare.mount
. See systemd.mount(5) for details.
mnt-myshare.mount
can only be used if are going to mount the share under /mnt/myshare
. Otherwise the following error might occur: systemd[1]: mnt-myshare.mount: Where= setting does not match unit name. Refusing.
.What=
path to share
Where=
path to mount the share
Options=
share mounting options
- Network mount units automatically acquire
After
dependencies on remote-fs-pre.target, network.target and network-online.target, and gain aBefore
dependency on remote-fs.target unlessnofail
mount option is set. Towards the latter aWants
unit is added as well. - Append
noauto
toOptions
preventing automatically mount during boot (unless it is pulled in by some other unit). - If you want to use a hostname for the server you want to share (instead of an IP address), add
nss-lookup.target
toAfter
andWants
. This might avoid mount errors at boot time that do not arise when testing the unit.
/etc/systemd/system/mnt-myshare.mount
[Unit] Description=Mount Share at boot [Mount] What=//server/share Where=/mnt/myshare Options=_netdev,credentials=/etc/samba/credentials/myshare,iocharset=utf8,rw Type=cifs TimeoutSec=30 [Install] WantedBy=multi-user.target
ForceUnmount=true
to [Mount]
, allowing the share to be (force-)unmounted.To use mnt-myshare.mount
, start the unit and enable it to run on system boot.
automount[编辑 | 编辑源代码]
To automatically mount a share, one may use the following automount unit:
/etc/systemd/system/mnt-myshare.automount
[Unit] Description=Automount myshare [Automount] Where=/mnt/myshare [Install] WantedBy=multi-user.target
Disable/stop the mnt-myshare.mount
unit, and enable/start mnt-myshare.automount
to automount the share when the mount path is being accessed.
smbnetfs[编辑 | 编辑源代码]
First, check if you can see all the shares you are interested in mounting:
$ smbtree -U remote_user
If that does not work, find and modify the following line
in /etc/samba/smb.conf
accordingly:
domain master = auto
Now restart smb.service
and nmb.service
.
If everything works as expected, install smbnetfs包 from the official repositories.
Then, add the following line to /etc/fuse.conf
:
user_allow_other
Now copy the directory /etc/smbnetfs/.smb
to your home directory:
$ cp -a /etc/smbnetfs/.smb ~
Then create a link to smb.conf
:
$ ln -sf /etc/samba/smb.conf ~/.smb/smb.conf
If a username and a password are required to access some of the shared folders, edit ~/.smb/smbnetfs.auth
to include one or more entries like this:
~/.smb/smbnetfs.auth
auth "hostname" "username" "password"
It is also possible to add entries for specific hosts to be mounted by smbnetfs, if necessary.
More details can be found in ~/.smb/smbnetfs.conf
.
If you are using the Dolphin or GNOME Files, you may want to add the following to ~/.smb/smbnetfs.conf
to avoid "Disk full" errors as smbnetfs by default will report 0 bytes of free space:
~/.smb/smbnetfs.conf
free_space_size 1073741824
When you are done with the configuration, you need to run
$ chmod 600 ~/.smb/smbnetfs.*
Otherwise, smbnetfs complains about 'insecure config file permissions'.
Finally, to mount your Samba network neighbourhood to a directory of your choice, call
$ smbnetfs mount_point
Daemon[编辑 | 编辑源代码]
The Arch Linux package also maintains an additional system-wide operation mode for smbnetfs. To enable it, you need to make the
said modifications in the directory /etc/smbnetfs/.smb
.
Then, you can start and/or enable the smbnetfs
daemon as usual. The system-wide mount point is at /mnt/smbnet/
.
autofs[编辑 | 编辑源代码]
See Autofs for information on the kernel-based automounter for Linux.
文件管理器配置[编辑 | 编辑源代码]
GNOME 文件、Nemo、Caja、Thunar 和 PCManFM[编辑 | 编辑源代码]
为了通过 GNOME 文件,Nemo,Caja,Thunar 或 PCManFM 访问 samba 共享,安装 gvfs-smb包 软件包,其在官方仓库可用。
按 Ctrl+l
然后在位置栏键入 smb://servername/share
以访问您的共享。
挂载的共享可能存在于文件系统中的/run/user/your_UID/gvfs
或 ~/.gvfs
。
KDE[编辑 | 编辑源代码]
KDE 有内建的浏览 Samba 共享的能力。为了使用 KDE 系统设置的 GUI,你需要安装 kdenetwork-filesharing包 软件包。
如果你在通过 Dolphin 浏览时遇到“超时”错误,你需要取消注释并修改 smb.conf 中的以下行:
name resolve order = lmhosts bcast host wins
按照 此页 所述。
其它图形环境[编辑 | 编辑源代码]
There are a number of useful programs, but they may need to have packages created for them. This can be done with the Arch package build system. The good thing about these others is that they do not require a particular environment to be installed to support them, and so they bring along less baggage.
- pyneighborhoodAUR is available in the official repositories.
- LinNeighborhood, RUmba, xffm-samba plugin for Xffm are not available in the official repositories or the AUR. As they are not officially (or even unofficially supported), they may be obsolete and may not work at all.
提示与技巧[编辑 | 编辑源代码]
[编辑 | 编辑源代码]
If nothing is known about other systems on the local network, and automated tools such as smbnetfs are not available, the following methods allow one to manually probe for Samba shares.
1. First, install the nmap包 and smbclient包 packages.
2. nmap
checks which ports are open:
# nmap -p 139 -sT "192.168.1.*"
In this case, a scan on the 192.168.1.* IP address range and port 139 has been performed, resulting in:
$ nmap -sT "192.168.1.*"
Starting nmap 3.78 ( http://www.insecure.org/nmap/ ) at 2005-02-15 11:45 PHT Interesting ports on 192.168.1.1: (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 139/tcp open netbios-ssn 5000/tcp open UPnP Interesting ports on 192.168.1.5: (The 1662 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 6000/tcp open X11 Nmap run completed -- 256 IP addresses (2 hosts up) scanned in 7.255 seconds
The first result is another system; the second happens to be the client from where this scan was performed.
3. Now that systems with port 139 open are revealed, use nmblookup(1) to check for NetBIOS names:
$ nmblookup -A 192.168.1.1
Looking up status of 192.168.1.1 PUTER <00> - B <ACTIVE> HOMENET <00> - <GROUP> B <ACTIVE> PUTER <03> - B <ACTIVE> PUTER <20> - B <ACTIVE> HOMENET <1e> - <GROUP> B <ACTIVE> USERNAME <03> - B <ACTIVE> HOMENET <1d> - B <ACTIVE> MSBROWSE <01> - <GROUP> B <ACTIVE>
Regardless of the output, look for <20>, which shows the host with open services.
4. Use smbclient
to list which services are shared on PUTER. If prompted for a password, pressing enter should still display the list:
$ smbclient -L \\PUTER
Sharename Type Comment
---- ------- MY_MUSIC Disk SHAREDDOCS Disk PRINTER$ Disk PRINTER Printer IPC$ IPC Remote Inter Process Communication Server Comment
------- PUTER Workgroup Master
------- HOMENET PUTER
Remote control of Windows computer[编辑 | 编辑源代码]
Samba offers a set of tools for communication with Windows. These can be handy if access to a Windows computer through remote desktop is not an option, as shown by some examples.
Send shutdown command with a comment:
$ net rpc shutdown -C "comment" -I IPADDRESS -U USERNAME%PASSWORD
A forced shutdown instead can be invoked by changing -C with comment to a single -f. For a restart, only add -r, followed by a -C or -f.
Stop and start services:
$ net rpc service stop SERVICENAME -I IPADDRESS -U USERNAME%PASSWORD
To see all possible net rpc command:
$ net rpc
疑难解答[编辑 | 编辑源代码]
启动 Samba SMB/CIFS 服务器失败[编辑 | 编辑源代码]
可能的解决方法:
- 通过 testparm(1) 检查
smb.conf
中的符号问题。 - 在
/var/cache/samba/
中设置正确的权限然后重启smb.service
:
# chmod 0755 /var/cache/samba/msg
SELinux 权限问题[编辑 | 编辑源代码]
SELinux 默认不允许 samba 访问用户的家目录。为了解决此问题,运行:
# setsebool -P samba_enable_home_dirs 1
类似地,samba_export_all_ro
和 samba_export_all_rw
使 Samba 拥有读取或“读和写”所有文件的能力。
AppArmor 权限问题[编辑 | 编辑源代码]
如果使用了一个在家目录之外的共享路径,请在 /etc/apparmor.d/local/usr.sbin.smbd
中将其加入白名单。例如:
/etc/apparmor.d/local/usr.sbin.smbd
"/data/" rk, "/data/**" lrwk,
No dialect specified on mount[编辑 | 编辑源代码]
The client is using an unsupported SMB/CIFS version that is required by the server.
See #Restrict protocols for better security for more information.
Unable to overwrite files, permissions errors[编辑 | 编辑源代码]
Possible solutions:
- Append the mount option
nodfs
to the/etc/fstab
entry[损坏的链接:无效的章节]. - Add
msdfs root = no
to the[global]
section of the server's/etc/samba/smb.conf
.
[编辑 | 编辑源代码]
Set map to guest
inside the global
section of /etc/samba/smb.conf
:
map to guest = Bad User
From Samba 4.10.10 you should use Bad Password
instead Bad User
.
Windows 7 connectivity problems - mount error(12): cannot allocate memory[编辑 | 编辑源代码]
A known Windows 7 bug that causes "mount error(12): cannot allocate memory" on an otherwise perfect cifs share on the Linux end can be fixed by setting a few registry keys on the Windows box as follows:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\LargeSystemCache
(set to1
)HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\Size
(set to3
)
Alternatively, start Command Prompt in Admin Mode and execute the following:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "Size" /t REG_DWORD /d 3 /f
Do one of the following for the settings to take effect:
- Restart Windows
- Restart the Server service via services.msc
- From the Command Prompt run: 'net stop lanmanserver' and 'net start lanmanserver' - The server may automatically restart after stopping it.
Windows 10 1709 和更高版本的连接性问题 - "Windows cannot access" 0x80004005[编辑 | 编辑源代码]
This error affects some machines running Windows 10 version 1709 and later. It is not related to SMB1 being disabled in this version but to the fact that Microsoft disabled insecure logons for guests on this version for some, but not others.
To fix, open Group Policy Editor (gpedit.msc
). Navigate to Computer configuration\administrative templates\network\Lanman Workstation > Enable insecure guest logons and enable it.
Alternatively,change the following value in the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters] "AllowInsecureGuestAuth"=dword:1
Error: Failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL[编辑 | 编辑源代码]
If you are a home user and using samba purely for file sharing from a server or NAS, you are probably not interested in sharing printers through it. If so, you can prevent this error from occurring by adding the following lines to your /etc/samba/smb.conf
:
/etc/samba/smb.conf
[global] load printers = No printing = bsd printcap name = /dev/null disable spoolss = Yes
Restart the samba service, smb.service
, and then check your logs:
# cat /var/log/samba/smbd.log
and the error should now no longer be appearing.
Sharing a folder fails[编辑 | 编辑源代码]
It means that while you are sharing a folder from Dolphin (file manager) and everything seems ok at first, after restarting Dolphin the share icon is gone from the shared folder, and also some output like this in terminal (Konsole) output:
‘net usershare’ returned error 255: net usershare: usershares are currently disabled
To fix it, enable usershare as described in #建立 Usershare 路径.
[编辑 | 编辑源代码]
And you are using a firewall (iptables) because you do not trust your local (school, university, hotel) network. This may be due to the following: When the smbclient is browsing the local network it sends out a broadcast request on udp port 137. The servers on the network then reply to your client but as the source address of this reply is different from the destination address iptables saw when sending the request for the listing out, iptables will not recognize the reply as being "ESTABLISHED" or "RELATED", and hence the packet is dropped. A possible solution is to add:
iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns
to your iptables setup.
Protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE[编辑 | 编辑源代码]
The client probably does not have access to shares. Make sure clients' IP address is in hosts allow =
line in /etc/samba/smb.conf
.
Another problem could be, that the client uses an invalid protocol version. To check this try to connect with the smbclient
where you specify the maximum protocol version manually:
$ smbclient -U <user name> -L //<server name> -m <protocol version: e. g. SMB2> -W <domain name>
If the command was successful then create a configuration file:
~/.smb/smb.conf
[global] workgroup = <domain name> client max protocol = SMB2
Connection to SERVER failed: (Error NT_STATUS_UNSUCCESSFUL)[编辑 | 编辑源代码]
You are probably passing a wrong server name to smbclient
. To find out the server name, run hostnamectl
on the server and look at "Transient hostname" line
Connection to SERVER failed: (Error NT_STATUS_CONNECTION_REFUSED)[编辑 | 编辑源代码]
Make sure that the server has started. The shared directories should exist and be accessible.
Protocol negotiation failed: NT_STATUS_CONNECTION_RESET[编辑 | 编辑源代码]
Probably the server is configured not to accept protocol SMB1. Add option client max protocol = SMB2
in /etc/samba/smb.conf
.
Or just pass argument -m SMB2
to smbclient
.
Password Error when correct credentials are given (error 1326)[编辑 | 编辑源代码]
Samba 4.5 has NTLMv1 authentication disabled by default. It is recommend to install the latest available upgrades on clients and deny access for unsupported clients.
If you still need support for very old clients without NTLMv2 support (e.g. Windows XP), it is possible force enable NTLMv1, although this is not recommend for security reasons:
/etc/samba/smb.conf
[global] lanman auth = yes ntlm auth = yes
If NTLMv2 clients are unable to authenticate when NTLMv1 has been enabled, create the following file on the client:
/home/user/.smb/smb.conf
[global] sec = ntlmv2 client ntlmv2 auth = yes
This change also affects samba shares mounted with mount.cifs. If after upgrade to Samba 4.5 your mount fails, add the sec=ntlmssp option to your mount command, e.g.
mount.cifs //server/share /mnt/point -o sec=ntlmssp,...
See the mount.cifs(8) man page: ntlmssp - Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message. The default in mainline kernel versions prior to v3.8 was sec=ntlm. In v3.8, the default was changed to sec=ntlmssp.
Mapping reserved Windows characters[编辑 | 编辑源代码]
Starting with kernel 3.18, the cifs module uses the "mapposix" option by default.
When mounting a share using unix extensions and a default Samba configuration, files and directories containing one of the seven reserved Windows characters : \ * < > ?
are listed but cannot be accessed.
Possible solutions are:
- Use the undocumented
nomapposix
mount option for cifs
# mount.cifs //server/share /mnt/point -o nomapposix
- Configure Samba to remap
mapposix
("SFM", Services for Mac) style characters to the correct native ones using fruit
/etc/samba/smb.conf
[global] vfs objects = catia fruit fruit:encoding = native
- Manually remap forbidden characters using catia
/etc/samba/smb.conf
[global] vfs objects = catia catia:mappings = 0x22:0xf022, 0x2a:0xf02a, 0x2f:0xf02f, 0x3a:0xf03a, 0x3c:0xf03c, 0x3e:0xf03e, 0x3f:0xf03f, 0x5c:0xf05c, 0x7c:0xf07c, 0x20:0xf020
The latter approach (using catia or fruit) has the drawback of filtering files with unprintable characters.
[编辑 | 编辑源代码]
This section presupposes:
- Usershares are configured following previous section
- A shared folder has been created as a non-root user from GUI
- Guests access has been set to shared folder during creation
- Samba service has been restarted at least once since last
/etc/samba/smb.conf
file modification
For clarification purpose only, in the following sub-sections is assumed:
- Shared folder is located inside user home directory path (
/home/yourUser/Shared
) - Shared folder name is MySharedFiles
- Guest access is read-only.
- Windows users will access shared folder content without login prompt
Verify correct samba configuration[编辑 | 编辑源代码]
Run the following command from a terminal to test configuration file correctness:
$ testparm
[编辑 | 编辑源代码]
Run the following commands from a terminal:
$ cd /var/lib/samba/usershare $ ls
If everything is fine, you will notice a file named mysharedfiles
Read the file contents using the following command:
$ cat mysharedfiles
The terminal output should display something like this:
/var/lib/samba/usershare/mysharedfiles
path=/home/yourUser/Shared comment= usershare_acl=S-1-1-0:r guest_ok=y sharename=MySharedFiles
Verify folder access by guest[编辑 | 编辑源代码]
Run the following command from a terminal. If prompted for a password, just press Enter:
$ smbclient -L localhost
If everything is fine, MySharedFiles should be displayed under Sharename
column
Run the following command in order to access the shared folder as guest (anonymous login)
$ smbclient -N //localhost/MySharedFiles
If everything is fine samba client prompt will be displayed:
smb: \>
From samba prompt verify guest can list directory contents:
smb: \> ls
If NTFS_STATUS_ACCESS_DENIED
error displayed, probably there is something to be solved at directory permission level.
Run the following commands as root to set correct permissions for folders:
# cd /home # chmod -R 755 /home/yourUser/Shared
Access shared folder again as guest to be sure guest read access error has been solved.
Mount error: Host is down[编辑 | 编辑源代码]
This error might be seen when mounting shares of Synology NAS servers. Use the mount option vers=1.0
to solve it.
Software caused connection abort[编辑 | 编辑源代码]
File managers that utilizes gvfs-smb包 can show the error Software caused connection abort
when writing a file to a share/server. This may be due to the server running SMB/CIFS version 1, which many routers use for USB drive sharing (e.g. Belkin routers). To write to these shares specify the CIFS version with the option vers=1.0
. E.g.:
/etc/fstab
//SERVER/sharename /mnt/mountpoint cifs _netdev,guest,file_mode=0777,dir_mode=0777,vers=1.0 0 0
This can also happen after updating Samba to version 4.11, which deactivates SMB1 as default, and accessing any Samba share. You can reenable it by adding
/etc/samba/smb.conf
[global] client min protocol = CORE
Connection problem (due to authentification error)[编辑 | 编辑源代码]
Be sure that you do not leave any space characters before your username in Samba client configuration file as follows:
~/.samba
username= user password=pass
The correct format is:
~/.samba
username=user password=pass
Windows 1709 及更高版本无法在“网络”视图中发现 Samba 服务器[编辑 | 编辑源代码]
随着Windows 10 1511版本的推出,对SMBv1的支持以及由此的NetBIOS设备发现被默认禁用。根据实际的版本,从1709版本("秋季创意者更新")开始的后期Windows版本不允许再安装SMBv1客户端。这导致运行Samba的主机不能在资源管理器的 "网络(网上邻居)"视图中列出。虽然并无连接问题,而且Samba仍然可以正常运行,但用户可能想让他们的Samba主机被Windows自动列出。wsddAUR 实现了一个 Web Service Discovery 宿主守护进程。这使得(Samba)主机,比方说你的本地NAS设备,能够被像Windows这样的Web服务发现客户端找到。默认设置应该适用于大多数安装,你所需要做的就是启动/启用 wsdd.service
。
默认配置(在组 "WORKGROUP "中使用机器主机名公示自己)在大多数情况下应该是你所需要的全部。如果你有需要,你可以通过在 /etc/conf.d/wsdd
中添加额外的参数来改变配置选项(详见wsdd的手册页)。
wsdd2AUR完成同样的工作,但它是用 C 语言而不是 Python 编写的。默认情况下,它将在 smb.conf
中寻找 netbios name
和 workgroup
值。
更多参考[编辑 | 编辑源代码]
- Official website
- Samba: An Introduction
- Samba 3.2.x HOWTO and Reference Guide (outdated but still most extensive documentation)
- Wikipedia
- Gentoo:Samba/Guide
- Debian:SambaServerSimple