Managing Samba in Oracle Linux
Managing Samba in Oracle Linux
le Linux / Release 9
For information about local file system management in Oracle Linux, see Oracle
Linux 9: Managing Local File Systems.
About Samba
Samba is an open-source implementation of the Server Message Block (SMB)
protocol that enables Oracle Linux to interoperate with clients that are running
different operating systems, including Windows, other Linux flavors, and macOS.
You can configure Samba to share both file and print resources from a Linux server.
For example, you might use Samba to configure a Linux host to create a file share
location that Windows users on the network can access using the following syntax:
\\samba_server\share_name
Note: The format of the location path can vary depending upon the client
operating system. For example, on Unix and Linux based operating systems,
including macOS, the path format may appear as follows:
smb://samba_server/share_name.
Samba includes capability for integrating with a Windows workgroup and an Active
Directory (AD) domain.
Samba uses the NetBIOS over TCP/IP protocol, which allows computer applications
that depend on the NetBIOS API to work on TCP/IP networks.
smb Service
The smb service enables file sharing and printing services by using the SMB
protocol. This service is also responsible for resource locking and for authenticating
connecting users.
The smb systemd service starts and stops the smbd daemon. The following is an
example command:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh_c… 1/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
To use the smbd service, you need to install the samba package on your system.
nmb Service
The nmb (NetBIOS Message Block) service provides host name and IP resolution by
using the NetBIOS over IPv4 protocol. The nmb service also enables browsing of the
SMB network to locate domains, workgroups, hosts, file shares, and printers.
The nmb systemd service starts and stops the nmbd daemon. The following is an
example command:
To use the nmbd service, you need to install the samba package on your system.
winbind Service
The winbind service is a Name Service Switch (NSS) daemon for resolving AD
Users and Groups. The daemon enables AD Users to securely access services that
are hosted on the Samba server.
The winbind systemd service starts and stops the winbindd daemon. The
following is an example command:
Note: If you are setting up Samba as a domain member, you must start the
winbind service before starting the smb service. Otherwise, domain users
and groups are not available to the local system.
The smb.conf file consists of several sections that you can configure to support
the required services for a specific Samba configuration. Consider the following
sample extract from an smb.conf file:
[homes]
comment = User home directories
path = /data/pchome/%S
valid users = %S, WWW.EXAMPLE.COM\%S
browsable = no
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh_c… 2/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
read only = no
guest ok = no
[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
[test_share]
comment = Shared /usr/local/test_share directory created for
path = /usr/local/test_share
valid users = @examplegroup
browsable = yes
read only = no
The following list describes the sections in the preceding configuration example:
[global]
In the preceding example, the security parameter value of ADS means the server
is a member of an AD domain that is running in native mode. In this scenario,
Samba relies on tickets issued by the Kerberos server to authenticate clients who
want to access local services.
[homes]
The [homes] section provides a personal share for users that log onto the Samba
server. In the example, the location of each user's home directory is set by the line
path = /data/pchome/%S (the %S macro will be substituted with the user
name). The settings for browsable = no and read only = no prevent other
users from browsing home directories, while allowing full access to valid users.
[printers]
Specifies support for print services. The path parameter specifies the location of a
spooling directory that receives print jobs from Windows clients before submitting
them to the local print spooler.
[test_share]
You use the testparm program to validate a Samba configuration file after making
configuration changes. The testparm program detects invalid parameters and
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh_c… 3/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
Note: testparm checks a configuration file for internal correctness only. The
testparm command is not capable of testing whether configured services
will be available or work as expected.
The following example shows how you might use the command to test a copy of
the file you are working on:
If, instead of a copy, you want to test the default Samba configuration file, you do
not have to specify the file as a parameter. You can simply run testparm as follows:
You can also manually request a reload, for example by using the
smbcontrol all reload-config command.
The frequent reloading of configuration values does not give you much time to
validate any changes you are planning to make to /etc/samba/smb.conf.
Therefore, it is best practice to first test your changes on a copy of the configuration
file. The following steps describe how you might do this:
Copy
sudo cp /etc/samba/smb.conf /etc/samba/samba.conf.myc
2. Edit the copy of the file after opening it in an editor of your choice, for
example vi:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh_c… 4/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
4. Overwrite the original file with the copy you have validated:
Copy
sudo mv /etc/samba/samba.conf.my_copy /etc/samba/smb
The following sections give an overview of different roles you can configure for your
Samba server.
Standalone
You can configure the Samba server role as a standalone server in small networks,
for instance peer-to-peer workgroups, where the server is not required to be part of
a domain.
A Samba Account
In a standalone configuration, Samba authenticates users to a local
database rather than a domain controller. You use the Samba smbpasswd
command to create such accounts.
In addition to authenticated access, you can also enable guest access to allow users
to connect to some services without authentication.
Installation of Kerberos
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh_c… 5/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
Linux assigns unique GID and UID numbers to groups and users, whereas Windows
uses a Security Identifier values (SID) for each user and group.
The winbind service maintains the necessary mapping of each Linux GID and UID to
its corresponding Windows SID. However, you are responsible for specifying which
of the available mapping methods, or back ends as they are called in Samba, are to
be used for this mapping.
You configure the mapping in the [global] section of the Samba configuration
file /etc/samba/smb.conf.
#..........................................
# Using rid backend to map EXAMPLE.COM users
# UID/GID range 10000-49999
nd #..........................................
idmap config EXAMPLE.COM : backend = rid
idmap config EXAMPLE.COM: range = 10000-49999 4 Managing S
and Copyright Information
Linux
ce
#.......................................... About Sam
out Shared File System # Using rid backend to map EXAMPLE.NET users
agement in Oracle Linux
# UID/GID range 50000-99999 ID Mappi
naging the Network File System
#.......................................... the Active
acle Linux idmap config EXAMPLE.NET : backend = rid Member S
idmap config EXAMPLE.NET : range = 50000 -99999
naging the Oracle Cluster File
Configurin
m Version 2 in Oracle Linux
Standalon
naging Samba in Oracle Linux The preceding example extract shows the following configurations:
Configurin
About Samba The Samba server is a member of the EXAMPLE.COM AD domain and uses as an AD M
the rid backend to map SIDs belonging to that domain. The backend is
About Samba Services authoritative for those SIDs that the rid method translates to UIDs and Accessing
About the Samba Configuration GIDs within the range specified in the file (10000-49999).
File
The Samba server also provides share access to a trusted AD domain
About Samba Server Roles
EXAMPLE.NET. The trusted domain is also configured to use the rid
D Mapping Back Ends in the Active backend. The range for EXAMPLE.NET is 50000-99999.
Domain Member Setup
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh_c… 6/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
Overview of ID Mapping in the The default * domain uses backend tdb. The tdb range is specified as
Samba Configuration File
1000000-2000000
Domains That Require ID Mapping
Configuration
WARNING:
Available Back Ends ID ranges must not overlap.
The following sections give a further overview on using the different backends to
configure ID Mapping for domains.
The default domain includes Samba built-in accounts and groups, such as
BUILTIN\Administrators.
The following table describes the most commonly used back ends and their
different use cases.
The following sections give an overview of the back ends listed in the preceding
table.
The tdb back end is the default back end used by winbindd for storing Security
Identifier (SID), UID, and GID mapping tables.
The tdb back end must only be used for the * default domain.
The default domain includes Samba built-in accounts and groups, such as
BUILTIN\Administrators.
The tdb back end is a writeable backend that needs to allocate new user and group
IDs to create new mappings.
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh_c… 7/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
The ad backend enables winbind to read the id mappings from an AD server that
uses RFC2307 schema extensions.
For example, when using the ad backend, you set a user’s Linux UID number by
entering its value in their AD account’s uidNumber attribute.
Some of the attributes you set in the Windows AD Server are listed in the following
table's first column together with the corresponding Linux value each one maps to
in the second column:
Table 4-2 Table showing some of the attributes set up in the AD Server when ad
mapping is used.
uidNumber UID
gidNumber GID
Note:
The list in the preceding table is given as an overview. See
upstream documentation for more attributes.
The mapping IDs must be within the range configured in
/etc/samba/smb.conf. Objects with IDs outside the range will
not be available on the Samba server.
Advantages of ad include:
UIDs and GIDs are consistent on all Samba servers that use ad.
The ID values are not stored in a local database, so there is less chance of
local data corruption and loss of file ownership data.
The rid back end is an algorithmic mapping scheme that uses the RID (relative
identifier) portion of the Windows SID to map Windows groups and Users to UIDs
and GIDs.
All domain user accounts and groups are automatically available on the
domain member providing the mapped ID falls within the domain's rid
range specified in /etc/samba/smb.conf.
The autorid back end works in a similar way to the rid ID mapping back end, but
one advantage of autorid is that it can automatically assign IDs for different
domains. This enables you to use the autorid back end for the following:
The * default domain and additional domains, without the need to create
ID mapping configurations for each of the additional domains.
workgroup = EXAMPLE_WORKGROUP
netbios name = Server_Netbios_Name
security = user
role = standalone server
passdb backend = tdbsam
log file = /var/log/samba/%m
log level = 1
[shareexample]
path = /srv/samba/shareexample/
read only = no
log level = 1
[shareexample]
read only = no
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh_c… 9/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
4. Create a local Linux user account without a home directory (-M) and
without a login shell (-s /sbin/nologin):
Copy
sudo useradd -M -s /sbin/nologin exampleUser
Note: The local password set with the passwd account is not the
one used by Samba.
However, setting a local password is required to enable the
account (Samba denies access if the account is disabled locally).
Note: The Samba account password set in this step, using the
smbpasswd command, is the password that will be used by Samba
Note:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh… 10/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
9. Set the group for the share directory to be the group you created in a
previous step for your Samaba users:
Copy
sudo chgrp -R exampleGroup /srv/samba/shareexample/
11. Open the required ports and reload the firewall configuration using the
firewall-cmd utility:
realmd
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh… 11/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
Copy
sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.copy
When you run the command as shown, realm does the following:
Adds the winbind module for user and group lookups to the
/etc/nsswitch.conf file.
5. Check that the entries in the /etc/samba/smb.conf file meet all your
configuration requirements.
For more information on the configuration file see About the Samba
Configuration File
7. Having verified the winbind is running in the preceding step, start and
enable the smb service:
Copy
sudo getent passwd EXAMPLE.COM\\exampleuser
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh… 12/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
EXAMPLE.COM\exampleuser:*:10000:10000::/home
Copy
sudo getent group "EXAMPLE.COM\Domain Users"
EXAMPLE.COM\domain users:x:10000:exampleuser
Confirm that you can use domain users and groups when
using file and directory commands. For example, to set the
owner of the /srv/samba/shareexample/ directory to
EXAMPLE.COM\administrator and the group to
EXAMPLE.COM\Domain Users run the following command:
Copy
sudo chown "EXAMPLE.COM\administrator":"EXAM
\\server_name\share_name Copy
If you enter \\server_name, Windows displays the directories and printers that
the server is sharing. You can also use the same syntax to map a network drive to a
share name.
To access a Samba share from an Oracle Linux host you can install the following
packages:
samba-client
cifs-utils
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh… 13/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
The following steps give a brief overview of how you might use the smbclient
commands:
Copy
sudo smbclient -U "EXAMPLE.COM\user1" //example_samba
Copy
sudo mount -t cifs //server_name/share_name mountpoint -o cr
In the previous command, the credentials file contains settings for username,
password, and domain:
username=username
password=password Copy
domain=EXAMPLE.COM
If the Samba server is a domain member server in an AD domain, and your current
login session was authenticated by the Kerberos server in the domain, you can use
your existing session credentials by specifying the sec=krb5 option instead of a
credentials file:
© Oracle About Oracle Contact Us Products A-Z Terms of Use & Privacy Cookie Preferences Ad Choices
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh… 14/15
9/22/23, 3:15 PM Managing Samba in Oracle Linux
Copy
sudo mount -t cifs //server_name/share_name mountpoint -o se
https://docs.oracle.com/en/operating-systems/oracle-linux/9/shareadmin/shareadmin-ManagingSambainOracleLinux.html#topic_uxh… 15/15