• Ubuntu
• Swerdna
• openSUSE
• Open Source
• Open Sauce

Here are in-page links to the focus areas:

• • Checking Software and Other Preliminaries
• • How to Edit, Backup and Restore Samba's Configuration File
• • Setting up a Samba Client (Browsing Only)
• • Setting up a Samba Server (Browsing and Sharing)
• • Permission to Access Ubuntu Shares
• • Enhanced Browsing with a Local Master Browser
• • Summary Browse Master Recipes for smb.conf
• • Opening the UFW Firewall for Samba
• • Activating your Changes
• • Appendix: Printers

↑↑↑↑Checking Software and Other Preliminaries

Samba software: Samba comes with a lot of functions, the chief of them being Samba client and Samba server. Samba client is installed by default but Samba server is not. For a fully functional workstation that shares and receives resources on a small business workgroup or a home LAN, you need packages smbclient, libsmbclient, samba-common, nautilus-share and samba. All except package samba are installed by default.

You can quickly check if all are installed by opening a Gnome terminal and running this command:

You should get a return listing the packages in the terminal window like this:

You can install any missing packages via System --> Administration --> Synaptic Package Manager.
[In Kubuntu GoTo: System Settings --> General --> Add and Remove Software].

Temporarily disable firewalls: if you've installed and/or activated any firewall manipulation tool like Firestarter, Gufu, Shorewall etc, disable it for the time being because it can easily complicate your efforts to diagnose Samba communications problems. The default (K)Ubuntu firewall, ufw (=uncomplicated firewall), is installed in the "inactive" state. Check the current status with this terminal command: sudo ufw status and if necessary disable it while you configure Samba with this command: sudo ufw disable. Later you can switch ufw back on with this: sudo ufw enable. The ufw firewall for Samba is discussed at length later in this tutorial.

Check the Samba daemons: two programs run in the background, nmbd and smbd, to control Samba. Check that these daemons are running with this terminal command: sudo /etc/init.d/samba status and if necessary start them with this command: sudo /etc/init.d/samba start. If you need to set them to start at boot time, use the tool located at System --> Administration --> Services --> Unlock --> Folder sharing service (Samba): enable via the check box.

↑↑↑↑How to Edit, Backup and Restore Samba's Configuration File

Samba is controlled by a text file called smb.conf stored at /etc/samba/smb.conf. It's made up of paragraphs separated by headings enclosed in square brackets, one for the global settings and one each shared resource (like a file share or a printer share). I've linked the Ubuntu/Kubuntu default smb.conf file for you to examine. Many people wish they had a copy of the original after they've been experimenting with modifying their Samba configuration, so I linked it as a reference should you wish to restore yours in the future.

It's extremely complicated as you can see, filled with comments, advice and templates. It's far more than you want for a SOHO LAN. You need to create a working version that's optimised for your situation and that's done by editing the smb.conf file. (FYI here's the same default file with all the comments removed so you can see the real content.)

Backing up smb.conf: The file smb.conf is located in the directory /etc/samba/, so you can easily make a copy of the original smb.conf or of any modified version of smb.conf with this copy command:

That will copy it to the file smb.conf.backup in /etc/samba/. There's nothing special about the name I used here. Use any naming convention you like for the backup file or files you might create from time to time.

Editing smb.conf: the Samba web administration tool (SWAT) can be installed from the standard repositories. You can edit the file smb.conf with SWAT. Install if via System --> Administration --> Synaptic Package Manager. Caution: if you run SWAT, it will delete all comments and default entries from the file smb.conf, so be sure to make a backup copy for reference purposes as outlined above, before you run SWAT.

I don't like SWAT for setting up simple LANs. It's an overly complex way to edit the text file smb.conf for simple situations. Instead it's better to edit by hand using copy/paste/typing in the excellent GUI editors provided in Ubuntu & Kubuntu. These commands in a terminal window will open smb.conf for editing:

Restoring smb.conf. Let's recap. Here's the default installed smb.conf: factory-fresh smb.conf file and here's the content with the comments removed: comment free version. If you want to restore the smb.conf file to the default values at any time, you can open the file smb.conf in an editor as outlined above and simply use copy/paste to overwrite it's current contents with either of the default versions that I've put in this paragraph as references. Samba ignores commented lines, so both reference versions are exactly the same from an operational viewpoint.

↑↑↑↑Setting up a Samba Client (Browsing Only)

A Samba Client is a workstation that can see the shares on other workstations but does not share resources to other workstations. In a SOHO LAN situation, a pure Samba Client is rare because members generally like to share files around the LAN. The configuration that I set out below will enable a Samba client but it is also set to enable file sharing with minimum extra effort.

You configure your workstation as a Samba Client with two simple steps. First, you back up the existing copy of smb.con as detailed above. Second, open up the file smb.conf for editing with Gedit or Kate as detailed above, delete all content and paste in the following text:

• Notes:
• • WORKGROUP_NAME must be the same on every machine on the LAN. Rename it appropriately (to match).
• • Change NETBIOS_NAME to a unique name that will identify this computer on the LAN

Now you restart Samba's operating daemons with this command in a terminal window:

Tip: you may have to wait a while for LAN information to get to your Samba Client, a few minutes; if the other computers are badly configured you might have to restart all machines, routers, network devices etc. You can then access the shares in Nautilus by clicking Places --> Network (left column) and then drill down on the icons in the right panel. Alternatively add this address into your network browser: smb:///

↑↑↑↑Setting up a Samba Server (Browsing and Sharing)

Once again you back up your existing smb.conf file and then edit it with the Ubuntu editor sudo gedit or the Kubuntu variant sudo kate (see above). Then paste the [global] stanza I've set out below into smb.conf:

Note: Samba Server requires that the workgroup name (e.g. WORKGROUP_NAME) must be the same in every workstation and that the NETBIOS_NAME, which is the network name of the workstation on the LAN, must be unique. This was required for Samba Client too.

By now you're probably saying: "which should I use? Samba Server's smb.conf or Samba Client's smb.conf? The "client" version is for when you don't want to share anything from the workstation. The "server" version is for when you do want to share from the workstation, or might want to share in the future. The "server" version does both jobs, "client" and "server". If in doubt: just use the server version; I always use it.

Adding file shares: so far you've got an empty shell in smb.conf, just infrastructure. If you want to share file you must add them to your configuration. There are two sorts of shares: classical shares and usershares.

Classical shares are configured by putting a stanza containing the share's settings into smb.conf. You use SWAT (not recommended) or the simple GUI editor (Gedit or Kate) to make classical shares.

A read-write share with guest access: This share can be accessed by anyone on the network without the need to authenticate with username/password. If you want to share the directory shared_directory located at /path_to/shared_directory and you want it to appear on the network with the name share_name, then put this code in the file smb.conf:

The force user parameter is a simple administrative device that causes all files created or deposited in the shared directory to be owned by a common user, e.g. a_user. The user a_user is someone who is a real Linux user on the workstation, perhaps but not necessarily yourself. You must change the ownership of the directory shared_directory to a_user. Normal permissions on the directory share are drwxr-xr-x (chmod 755). These two commands will create the correct permissions and ownership for the shared directory:

• Notes:
• • You can impose tighter security by making the shared directory drwxr-x--- (chmod 750).
• • If you intend for this share to be mounted on Windows clients as a cifs mapped drive with world-writeable access, life will be easier if you relax the permissions to drwxrwxrwx (chmod 777)
• • To make a read-only share, leave out the lines beginning force user and read only.

[homes] Users' Roaming Shares: This share allows access with full read/write permissions to users logged onto either Windows or Linux clients on the LAN. You need to supply your Linux username and Samba password to access the share. It's called "roaming" because you can roam around the LAN and access your home on the server from all computers.

For users logged onto client machines with usernames matching a username on the Ubuntu server: In Windows you can sometimes see the share as an icon named for your Linux username. Whether you see the icon depends on your transaction history with the server earlier that session. If you can see it, drill down into the share. If you can't see it then use an address like this in the Windows network browser: \\server_name\linux_username.

On the linux client you do not initially see the share as an icon as you sometimes do in Windows. Instead you always address the share in your browser by its netBIOS name; e,g, smb://server_name/linux_username. You can use the IP address instead of "server_name" in the address line. This is a fine share for users who like to keep their work on one server but access it from many machines.

Users logged onto client computers with usernames different from the Linux owners of the shares can't see the Roaming shares.

You must use your Linux username and Samba password to access your Roaming Share. See how to add your Linux username and Samba password to the Samba user database below in the section Permission to Access Ubuntu Shares.

Usershares are configured by putting a file containing the share's settings into the directory /var/lib/samba/usershares. This is done automatically for you when you make a usershare with the Right-click sharing tool in the Nautilus file manager. To make a usershare, open Nautilus and browse to the folder that you want to share. Right-click on it and select "Sharing Options". The sharing facility opens up:

To share the folder, put a tick in the first option "share this folder" and write a name of your choice its network name in "Share name".

The next option gives a choice between read-only and read-write access.

The final option is whether to allow users access or alternatively to require usernames and passwords for access.

Configuration files for these shares are stored in directory /var/lib/samba/usershares, not in smb.conf.

↑↑↑↑Permission to Access Ubuntu Shares

Some of the shares discussed here require that the file server where they reside has users added to the Samba user database. Once members are added to the Samba user database, users can access shares that require authentication, by responding to the password prompt with the user's credentials. You can only add users into the Samba user database if they already exist as Linux users on the server.

To check who already exist in the Samba user database you issue this command in a terminal:

To add members. e.g. fiona, issue this command in a terminal:

[fiona must be already an Ubuntu user before before you can add her to the Samba user database]

To remove members. e.g. William, issue this command:

↑↑↑↑Enhance Browsing with a Local Master Browser

Many report that creating a Local Master Browser (LMB) radically enhances browsing on the SOHO workgroup. The LMB's job is to collate the name and address pairs [netBIOS name -vs- IP address] for workstations and serve them to the other LAN members. Add these three lines into the [global] paragraph of the Samba configuration file, smb.conf, to create the LMB:

Reboot all machines in the LAN and wait for a time for the effects to settle in. Network browsing should be significantly enhanced. Each Linux computer can be set to be a Local Master Browser using the 3-line code fragment in the [global] stanza.

Optional enhancement: You can set one Local Master in the LAN to be stronger yet by making it the "Preferred Master". This is entirely optional and is for advanced users. If you are in doubt, leave it. The Preferred Master forces an election to ensure it will be the Browse Master. A computer that is designated "Preferred Master" is either the only Linux machine on the LAN or if there are several Linux computers, it is a community resource that is always on, like a group document server at work or a family printer server at home.

The recipe for Preferred Master is to use the following three lines in the place of the three mentioned just above:

Guidelines: You should make each Linux machine a Local Master. One special machine may optionally be designated the Preferred Master. Only one Preferred Master is allowed on each SOHO LAN. It does not matter if you do not make a Preferred Master at all.

↑↑↑↑Summary Browse Master Recipes for smb.conf

There are many ways to change Samba's configuration. It's hard to remember what smb.conf should look like or did look like before changes were made. So here are a few recipes for the [global] parameters in smb.conf based on Local Master Browser techniques. Remember, at the outset you should make a backup of smb.conf. Then you can edit it with sudo gedit or sudo kate.

And you can compare and make changes based on these recommended templates for the [global] parameters (follow the links):

• Local Master Browser and Preferred Master Browser concurrently
• Local Master Browser but not the Preferred Master
• In the lap of the gods

Which one should you use? If you have a single Linux workstation with or without shares, I recommend I. For two or more Linux workstations where there's no reason to choose between them, I recommend II for both. For two or more Linux workstations where one is a dedicated server, I recommend I for the dedicated server and II for the rest. If you just don't know what to do, or you don't want to use the LMB setup, I recommend III.

↑↑↑↑Opening the UFW Firewall for Samba

The default Ubuntu firewall is ufw (= uncomplicated firewall). The default state for the firewall is "disabled", i.e. open to everything. It's a very wise idea to firewall workstations.

Samba uses the following ports for workgroup communications: TCP 139, TCP 445, UDP 137 and UDP 138. If you're connecting in a domain environment you can include TCP 135, which is not used in a Workgroup (i.e. not in a SOHO LAN). You will see on the Net various ways to add firewall rules for these ports so Samba can traverse the ufw firewall. The method I give here is a very secure method. It opens the Samba workgroup ports only for the IP address range used on your Samba LAN. Here is a simple four step recipe for configuring Ubuntu's ufw firewall for Samba.

Step 1: Turn on the ufw firewall

Here are some simple commands for manipulating ufw:

• • sudo ufw status: show the status of the firewall and list installed rules
• • sudo ufw disable: unload ufw and disable it at boot time too
• • sudo ufw enable: reload ufw and set it to load at boot time too

So switch it on permanently with the sudo ufw enable command.

Step 2: Turn on kernel connection tracking for Samba

The kernel has network connection tracking modules. The module for netbios-ns (UDP port 137) is not loaded by default. You must turn it on for Samba to penetrate the ufw firewall. The ufw default configuration file is /etc/default/ufw. Open it in a superuser text editor with this command: gksu gedit /etc/default/ufw. Locate this line towards the end of the file:

Add this fragment: nf_conntrack_netbios_ns, so it becomes like this:

save the file and reload the firewall to activate the change, with this terminal command: sudo ufw reload.

Step 3: Discover your Trusted Network

Your LAN communicates using a subnet of IP addresses like this example: 192.168.33,x where x takes values 1, 2, 3, and so on. The shorthand abbreviation for this whole range is 192.168.33.0/24. You want to allow the whole range through the firewall, so in that sense your so-called "Trusted Network" is 192.168.33.0/24 for this particular example. Take another example: maybe your IP address is 10.0.22.6. That means the workstations on your LAN would have IP addresses in the series 10.0.22.x where x takes values 1, 2, 3, and so on. Hence the Trusted Net is written as 10.0.22.0/24 for the LAN.

Let's run through it one more time from beginning to end, using my LAN. I first check my IP address with this terminal command: sudo ifconfig | grep Bcast. Here's the dialogue I get:

I've highlighted the IP address in red, 192.168.29.130, so the Trusted Net for my LAN is 192.168.29.0/24.

Step 4: Add firewall rules for Samba ports & your Trusted Network

Once you've figured out your Trusted Net, you add four firewall rules for ufw with these four console commands:

Of course, you modify "192.168.29.0/24" to match your situation.

Step 5: Check the configuration

You can interrogate ufw by running the command sudo ufw status. [If necessary reload ufw with command sudo ufw enable.] The "status" interrogation should yield a result like this:

Some people like to install and use the GUI interface for ufw, called Gufw. For your interest I've included a screenshot of Gufw when the rules have been added properly from the command line using the method in the code boxes above.

If you find you've made a mistake and need to re-do one or more of the rules, you can remove a rule using the delete command as in the example below (c.f. the top rule in the codebox above):

Gufu screenshots: Some people just hate the command line. They might be interested in these screenshots of installing the four rules using the GUI front end for ufw: TCP 139, TCP 445, UDP 137, UDP 138.

Firewall reference: UFW rules

↑↑↑↑Activating Your Changes

When you alter a Samba networking setting or a firewall setting, you have to restart the programmes that are affected by the alterations. You can restart the Samba daemons (nmbd and smbd) with this command in a terminal: sudo /etc/init.d/samba restart

Network changes take a while to "seep" around your network. Maybe 5-10 minutes. I find rebooting helps in extreme cases, or a beer/coffee/orangejuice.

Big Tip: Sometimes I have to reboot everything including routers and modems to shake some problems loose, just like with Windows networks.

Remember also to reactivate the firewall when necessary with this command: sudo ufw enable (or reload, as the case may be).

End of story (almost)

I use the Official Samba-3 HowTo & Reference Guide
List of ports for Samba:according to the Samba team.

Hope this Tutorial makes life a bit easier for you.
Swerdna: July 16 2009.

↑↑↑↑APPENDIX: Printers

I will only cover the essential contents of smb.conf for sharing printers. The full implementation is covered elsewhere.

Include the six lines on the left into the [global] stanza of smb.conf.

In addition, introduce two more stanzas into smb.conf, following the next two templates. The [printers] stanza shares all printers and the [print$] stanza is expected by Windows clients in search of downloadable printer drivers.

Articles Index