User Tools

Site Tools


doc:howto:cifs.server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:cifs.server [2012/11/04 20:33]
guru4hp
doc:howto:cifs.server [2015/10/25 09:45] (current)
diizzy Bold text probably helps a bit about RAM requirements...
Line 1: Line 1:
 +====== Samba ======
 +Samba is a free and open-source implementation of [[wp>​Server Message Block|SMB/​CIFS]]. As of version 3, Samba provides file and print services over network which can be accessed by Windows, Unix and MacOS X clients. Alternatives are [[nfs.server|NFS]] and [[sshfs.server|SSHFS]].
  
 +:!: It is **strongly recommended** that you use LuCI to establish the initial configuration and then edit the template file (/​etc/​samba/​smb.conf.template) via LuCI Edit Template tab or from the shell as needed.
 +
 +:!: On devices with **32Mbyte of RAM** you will most likely run into **memory issues**, adding swap **might help** but devices with at least 128Mbyte is recommended and a 128-256Mbyte swap if possible.
 +
 +===== Preparations =====
 +==== Prerequisites ====
 +Presuming you want to connect a USB hard disk to the device and then access its contents over the cifs protocol, you need to mount that drive first:
 +  - [[doc:​howto:​usb.essentials]] ​ obtain basic support for the USB.
 +  - [[doc:​howto:​usb.storage]] ​ obtain support for USB storage and mount local filesystem
 +  - Configure ''​[[doc:​uci:​firewall|/​etc/​config/​firewall]]''​ to open the following ports (if your LAN access is rejected by default):
 +    * TCP 137 - NetBIOS Name Service
 +    * TCP 138 - NETBIOS Datagram Service
 +    * TCP 139 - NETBIOS Session Service
 +    * TCP 445 - Microsoft Directory Services
 +
 +|''​config '​rule'​
 +        option '​src'​ '​lan'​
 +        option '​proto'​ '​udp'​
 +        option '​dest_port'​ '​137-138'​
 +        option '​target'​ '​ACCEPT'​
 +
 +config '​rule'​
 +        option '​src'​ '​lan'​
 +        option '​proto'​ '​tcp'​
 +        option '​dest_port'​ '​139'​
 +        option '​target'​ '​ACCEPT'​
 +
 +config '​rule'​
 +        option '​src'​ '​lan'​
 +        option '​proto'​ '​tcp'​
 +        option '​dest_port'​ '​445'​
 +        option '​target'​ '​ACCEPT'​
 +''​|
 +
 +==== Required Packages ====
 +=== Server (OpenWrt) ===
 +  ***''​samba??​-server''​** <- check current available version using opkg list | grep -i samba
 +  ***''​kmod-fs-????''​** Kernel module for the [[wp>​file system]] with which the partition, you want to grant access to with Samba, is formated
 +  ***''​luci-app-samba''​** (//​optional//​) Configure from within the web interface [[doc:​howto:​luci.essentials|LuCI]].
 +
 +=== Client (your PCs) ===
 +Windows and most GNU/Linux distribution come with pre-installed support for this. So does MacOS X since version 10.2. In case your distribution is missing support, you need to install the client software. ArchLinux offers a Wikipage: [[https://​wiki.archlinux.org/​index.php/​Samba#​Configuration]].
 +
 +===== Configuration =====
 +-> See ''​[[doc:​uci:​samba|/​etc/​config/​samba]]''​
 +
 +After modifying any of the config files, restart the Samba server so that your changes take effect:
 +
 +<​code>/​etc/​init.d/​samba restart</​code>​
 +
 +**''​Info:''​** When Samba is restarted this way, the file ''/​etc/​samba/​smb.conf''​ is (re)created from to the uci configuration file and ''/​etc/​samba/​smb.conf.template''​.
 +
 +Create Samba users by adding them to /etc/passwd and /etc/group, then using ''​smbpasswd''​ to set passwords and add to Samba. Set up shared directories permissions according to your needs using ''​chown''​ and ''​chmod''​. Any unknown usernames used for authentication against Samba are mapped to a guest login silently by default.
 +
 +==== Custom configuration surpassing the UCI configuration ====
 +Samba is the only built in way to share resources between computers running Microsoft Windows. Even in a professional environment. Thus it can be //very// complicated to configure! It is also not the protocol of choice to accomplish that task in a Linux/Mac environment. So, if for whatever reasons above configuration does not give you desired access to your configured shares, you can of course circumvent the uci system and hack the original Samba configuration files instead or in addition. There may be entries which do not have a counterpart in UCI (yet) and thus can only be configured that way. Just bear in mind, that the uci config will overwrite the values configured with it (but not the whole configuration) at every boot up! If you want configure Samba directly with ''/​etc/​samba/​smb.conf''​ instead of ''/​etc/​config/​samba'',​ it is possible to make changes to the smb.conf survive a reboot using the procedure below.
 +
 +First, prevent OpenWrt from starting Samba at boot time, thus overwriting ''/​etc/​samba/​smb.conf''​ with the settings in the uci file ''/​etc/​config/​samba'':​
 +
 +<​code>/​etc/​init.d/​samba disable</​code>​
 +
 +Then add the following lines to /​etc/​rc.local to allow smbd and nmbd to start at boot time, using ''/​etc/​samba/​smb.conf''​ as the configuration file
 +
 +<​code>​
 +smbd -D
 +nmbd -D
 +</​code>​
 +
 +Now edit your ''/​etc/​samba/​smb.conf''​ all you like without worrying they will be lost the next time you reboot!
 +
 +===== Start on boot =====
 +Same procedure as with most OpenWrt packages: The first command will create a symlink ''/​etc/​rc.d/​S60samba'',​ the second will only start samba right now.
 +
 +<​code>​
 +/​etc/​init.d/​samba enable
 +/​etc/​init.d/​samba start
 +</​code>​
 +
 +===== Troubleshooting =====
 +  - If luci-app-samba is not working or can't be found in the web gui -> execute "rm /​tmp/​luci-indexcache"​ or restart router. ​
 +  - Is the partition you want to share mounted correctly? Check ->''​[[doc:​uci:​fstab|/​etc/​config/​fstab]]''​ again.
 +  - Does the samba-daemon have (read or write) access to the partition?
 +  - Is Samba running?
 +    - ''​ps aux''​ should show ''​smbd -D''​ and ''​nmbd -D''​ up and running
 +  - **Is your Samba configuration right**?
 +  - Does your firewall allow clients to access the service on your router?
 +
 +When using a Windows 7 client, you may have trouble accessing the network shares when Samba is set to user security, especially when using the "Map Network Drive" option from within Explorer. To circumvent this problem, try logging, choose to login using different credentials and type your username all in caps.
 +
 +If this still doesn'​t work, on the Windows 7 client(s) start a command shell (Win+R, type cmd and press enter), then issue the following command:
 +
 +<​code>​
 +net use R: \\openwrt\<​share>​ /​USER:<​USERNAME>​ <​password>​
 +</​code>​
 +
 +If you changed your router hostname, openwrt must be changed accordingly. **<​share>​** is the name of the share, as you have configured it using Luci or otherwise. **<​USERNAME>​** is the username you have added to the /etc/passwd name, and must be spelled all in caps. **<​password>​** is the one you set using smbpasswd.
 +
 +==== Set security to share ====
 +Some hints in advance: If you installed all needed packages, configured Samba per UCI and it still does not work at all, have a look at the file /​etc/​samba/​smb.conf.template. Change the entry //​security//​ from ''​user''​ to ''​share'',​ restart the daemons and try accessing it directly: In //windows explorer// type ''​\\router_ip''​ in the address bar. In //​nautilus//​ or //dolphin// press <​CTRL>​+<​L>​ and type ''​smb:​%%//​%%router_ip/''​ into the address bar.
 +
 +Instead of looking up the whole configuration step by step, you maybe want to have a look at [[http://​samba.org/​samba/​docs/​man/​Samba-Guide/​ExNetworks.html|Samba.org:​ Example Network Configurations]]. Chapter 1: No-Frills Samba Servers. Notice that you can already achieve a great deal of security by neatly setting up the [[doc:​uci:​firewall]] ​ 8-)
 +
 +
 +==== Localhost ====
 +If Samba does not start, try adding your router'​s name and ip in /etc/hosts.
 +(see also http://​forum.openwrt.org/​viewtopic.php?​id=5401)
 +
 +==== Browsing shares fails ====
 +When Samba is configured, the shares are set browse-able,​ but they still don't appear when browsing the network, then it may be that ''​local master = yes''​ is missing from ''/​etc/​samba/​smb.conf.template''​. Also check if ''​preferred master = yes''​ is in ''/​etc/​samba/​smb.conf.template''​.
 +
 +
 +==== Cannot write to the Samba share ====
 +If you cannot write to the share, Samba may not have the proper permissions to write to the shared folder.  ​
 +
 +Some have reported success by modifying the permissions and owner of the folder:
 +
 +<​code>​chmod -R 777 /mnt/sda1
 +chown -R nobody /​mnt/​sda1</​code>​
 +
 +
 +If you are sharing a drive mounted wish fstab, you may need to modify **/​etc/​config/​fstab** to include '​umask=000'​ in the options section.
 +| ''​config '​mount'​
 +        option '​options'​ '​rw,​umask=000'​
 +        option '​enabled_fsck'​ '​0'​
 +        option '​enabled'​ '​1'​
 +        option '​device'​ '/​dev/​scsi/​host0/​bus0/​target0/​lun0/​part1'​
 +        option '​target'​ '/​mnt/​usbdisk'​
 +        option '​fstype'​ '​vfat'''​ |
 +
 +More info here:
 +https://​forum.openwrt.org/​viewtopic.php?​id=26625
 +
 +
 +==== International Characters Support ====
 +I've replaced ​
 +| '' ​    unix charset = ISO-8859-1''​ |
 +with
 +| '' ​    unix charset = UTF-8''​ |
 +in the ''/​etc/​samba/​smb.conf.template''​ file and I can now read and write files and folders with accented characters.
 +
 +==== Throughput Issues ====
 +Since [[doc:​howto:​netfilter]] will track every connection, if you use MASQUERADING for example, you should disable con-tracking for data connections. The basic idea looks likes this, you must adapt this to your firewall setting.
 +<code bash>
 +$IPT -t raw -A OUTPUT -o $IF_LAN -s $IP_LAN -p tcp --sport 139 -j CT --notrack #​------------------ don't track SMB
 +$IPT -t raw -A OUTPUT -o $IF_LAN -s $IP_LAN -p tcp --sport 445 -j CT --notrack #​------------------ don't track SMB
 +$IPT -t raw -A PREROUTING -o $IF_LAN -s $IP_LAN -p tcp --dport 139 -j CT --notrack #​------------------ don't track SMB
 +$IPT -t raw -A PREROUTING -o $IF_LAN -s $IP_LAN -p tcp --dport 445 -j CT --notrack #​------------------ don't track SMB
 +</​code>​
 +
 +It probably would rather avoid trouble if you do this UCI conform in ''​[[doc:​uci:​firewall|/​etc/​config/​firewall]]'':​
 +
 +<​code>​
 +...
 +config '​rule'​
 + option '​_name'​ '​Don'​\''​t track NETBIOS Service'​
 + option '​src'​ '​lan'​
 + option '​src_port'​ '​137-139'​
 + option '​dest'​ '​lan'​
 + option '​target'​ '​NOTRACK'​
 +
 +config '​rule'​
 + option '​_name'​ '​Don'​\''​t track NETBIOS Service'​
 + option '​src'​ '​lan'​
 + option '​dest'​ '​lan'​
 + option '​dest_port'​ '​137-139'​
 + option '​target'​ '​NOTRACK'​
 +
 +config '​rule'​
 + option '​_name'​ '​Don'​\''​t track Windows Filesharing'​
 + option '​src'​ '​lan'​
 + option '​src_port'​ '​445'​
 + option '​dest'​ '​lan'​
 + option '​target'​ '​NOTRACK'​
 +
 +config '​rule'​
 + option '​_name'​ '​Don'​\''​t track Windows Filesharing'​
 + option '​src'​ '​lan'​
 + option '​dest'​ '​lan'​
 + option '​dest_port'​ '​445'​
 + option '​target'​ '​NOTRACK'​
 +
 +</​code>​
 +
 +
 +==== Mac Network Discovery Issues ====
 +As the latest version of Mac OS X (Yosemite) has problems discovering SMB network shares broadcasted by each client over the LAN, you can set up a WINS server on your router which will help them out.
 +
 +A WINS server is a centralised name server for SMB network shares. The objective is to make the router the master browser which means it will discover SMB network shares then make them available over the WINS service. Macs will connect to the WINS service to receive the list of network shares, hopefully with more success than discovering network shares themselves.
 +
 +We will edit the UCI template (''/​etc/​samba/​smb.conf.template''​) instead of directly changing ''/​etc/​samba/​smb.conf''​ so as to maintain compatibility with UCI and LuCI.
 +
 +Log into LuCI, go to Services > Network Shares, go to the Edit Template tab, and add or change the following entries in the "​[global]"​ section in the template.
 +
 +<​code>​
 +[global]
 + domain master = yes
 + local master = yes
 + name resolve order = wins lmhosts hosts bcast
 + os level = 99
 + preferred master = yes
 + wins support = yes
 +</​code>​
 +
 +Finally Save & Apply the changes.
 +
 +You can also configure dnsmasq to broadcast the WINS server address via DHCP so that clients on the LAN don’t have to be manually configured.
 +
 +As there is no template editor in LuCI for ''/​etc/​config/​dhcp''​ it has to be edited in the terminal instead. ssh into your router then enter the following:
 +
 +<​code>​
 +root@router:/#​ cd /etc/config
 +root@router:/​etc/​config#​ vi dhcp
 +</​code>​
 +
 +Now add the following entry to the "​config '​dhcp'​ '​lan'"​ section in the template:
 +
 +<​code>​
 +...
 +config '​dhcp'​ '​lan'​
 + list '​dhcp_option'​ '​44,​192.168.1.1'​
 +...
 +</​code>​
 +
 +If your router has a different IP address to 192.168.1.1 then put your router'​s address.
 +
 +Use ":​wq"​ to save and quit then reboot the router (type ''​reboot''​ on the command line) and reboot the Macs. SMB network shares should appear in Network home a few minutes after rebooting the Mac.
 +
 +
 +===== Notes =====
 +  * [[https://​forum.openwrt.org/​viewtopic.php?​pid=140976#​p140976|Samba user administration script]]
 +  * [[https://​forum.openwrt.org/​viewtopic.php?​id=33510|Storage Administration Tool]]
 +
 +===== Example =====
 +A video demonstration of how Samba 3.6 from the repositories can be installed on OpenWrt 14.07 Barrier Breaker: https://​www.youtube.com/​watch?​v=1tEROyfvkv4