From Fedora Project Wiki



Samba is an open source implementation of the SMB (Server Message Block) protocol. Samba provides the means for resource sharing between networked computers that run different operating systems. As a client, Samba allows Linux/UNIX machines to access resources on Windows or Samba servers. As a server, Samba provides shared resources for Windows or other Samba clients. Historically, Samba provided access to shared resources through the SMBFS - SMB File System. More recently, SMBFS has been replaced by the more advanced CIFS (Common Internet File System), SMB compliant virtual file system. CIFS utilizes advanced network file system features such as locking, Unicode, hardlinks support and others. With CIFS, all network functions, including authentication, are provided in the kernel.

Fedora includes version 3.x of Samba. This version is capable of the following:

  • Acts as a Windows NT-style PDC (Primary Domain Controller)
  • Provides authentication for Windows domain logins
  • Acts as a BDC (Backup Domain Controller) for Samba PDC
  • Joins Windows NT, Windows 2000/2003 and Samba domain as a member server
  • Provides WINS (Windows Internet Name Service) name resolution with the nmb component
  • Enhances network browsing services
  • Joins Windows AD (Active Directory) domain by utilizing LDAP and Kerberos services
  • Acts as a Windows Workgroup server, providing directory trees, files and printers to Windows and Linux/UNIX clients
  • Contains built-in Unicode support for internationalization

Current development version (4.x) will address existing limitations of Samba, the most important being the ability of Samba to act as a Windows Active Directory PDC.

How Samba Works

A detailed explanation of low-level Samba services is beyond the scope of this document. The simplified definition is that Samba utilizes the NetBIOS API to deliver or respond to SMB/CIFS calls over the network, thus providing access to the network-shared directory tree, file and print resources. In addition, Samba extends NetBIOS and SMB/CIFS to provide authentication services and LDAP-type directory information.

Samba is composed of multiple applications each of which provide a part of Sambas functionality. Three daemons - smbd, nmbd, and winbindd are the main components of Samba. Some of the most commonly used command line Samba tools are smbstatus, smbpasswd, findsmb, nmblookup, net, smbclient, smbtar, and testparm.

Samba Daemons

smbd:: The smbd daemon is responsible for the management of all shared resources on the Samba server. It provides file, print and browse services for SMB/CIFS clients including authentication and resource locking.

nmbd:: The nmbd daemon is the naming service component. nmbd provides WINS functionality to Windows clients, browse lists in the Network Neighborhood and participates in browser elections on the network.

winbindd:: Together with nsswitch, the winbindd service provides access to user and group information stored on the Windows server and is capable of passing a Samba client's authentication requests to the Windows server.

Commonly Used Command Line Utilities

smbstatus:: Reports current connections to shares on a Samba server.

smbpasswd:: Used to set or modify passwords for Samba users.

findsmb:: Used to provide information about SMB/CIFS enabled computers on the network.

nmblookup:: Uses NetBIOS over TCP/IP to translate computer names to IP addresses.

net:: Used for remote administration of Samba servers.

smbclient:: Used by UNIX/Linux client computers to connect to Samba or Windows shared resources.

smbtar:: Utility used to backup data that resides on Samba shares.

testparm:: Utility used to check the syntax of the Samba configuration file (smb.conf).

Instaling Samba Server

The default Fedora installation does not include Samba server. To install Samba, run:

su -c "yum install samba"

and enter the root password when prompted. This command will install the two packages needed to run a Samba server:

  • samba-common
  • samba

The samba package installs the actual Samba server, while the samba-common package includes additional files needed by the Samba server and Samba client. There are two additional optional packages that can also be installed:

  • samba-client
  • system-config-samba

The samba-client package provides client-side Samba functionality to a Fedora machine. The package allows connectivity to remote Samba or Windows shares with the smbclient command line utility. The system-config-samba package provides a graphical interface to aid with Samba server configuration. This utility is capable of configuring a very limited set of Samba server options and is not covered in this document.


The main configuration file is /etc/samba/smb.conf. It includes a sensible set of configuration options which should be able to cover most, if not all, scenarios. The smb.conf file accepts two types of comments:

  • hash symbol (#) is usually used to denote actual comments
  • semicolon (;) is usually used to denote unused configuration options

Configuration options are in the format:

name = value

Lines that contain only whitespace are ignored.

smb.conf file is divided into sections. Each section begins with the section name in brackets and continues until the beginning of the next section. There are three special sections:

[global] section:: Contains configuration parameters for the entire Samba server. [homes] section:: When defined in the configuration file, this section allows clients to quickly access their home directories. [printers] section:: When defined allows users to connect to printers specified in the Samba server's local printcap file.

Samba Configuration

Samba configuration can be customized based on network requirements. This section provides some sample configurations for various Samba implementations, including:

  • Standalone workgroup server
  • Domain member server (Windows NT-style)
  • Primary Domain Controller (Windows NT-style)
  • Domain member server in the Windows AD domain

Samba Security Modes

A good understanding of how Samba implements security is essential for proper deployment of a Samba server. Windows NT/2000/2003 SMB (CIFS) only implements two security levels, user-level and share-level security, Samba provides more flexibility by extending Windows-based SMB/CIFS security through its Security Modes. Samba security modes are configured through the smb.conf parameter:

security = <mode>

The available modes are:

share:: In this mode, client must authenticate against each share. In a Windows world, the share password is set on the share itself. This means that client does not have to pass the username along with the connection request. Samba always uses the username/password combination, provided through the underlying Linux authentication method - /etc/passwd or /etc/nsswitch.conf. For this mode the smb.conf entry is:

security = share

user:: This is Samba's default security mode. In this mode, authentication is based on the username/password combination. When a client makes a request for a shared resource, the Samba server doesn't "know" which share an authenticating client is allowed to access. For this mode the smb.conf entry is:

security = user

server:: Although still valid, the server security mode is a "legacy" mode, a leftover from times when the Samba software was not able to become a domain member server. This mode allows a Samba server to authenticate connecting clients against the Windows NT-style PDC. There are many shortcomings, the possibility of "account lockout" on the Windows PDC, no assurance that the PDC is the actual machine specified, no support for winbindd/remote user profiles, etc. In this mode, Samba appears to be in a user security mode to the clients, while actually passing all the authentication to the PDC. For server security mode to work, two additional parameters must be specified in an smb.conf file:

encrypt passwords = yes
security = server
password server = PDC-NetBIOS-name

domain:: Domain security mode is the mechanism that provides a central database for all user, group and machine account information. This database is stored on the machines that participate in a domain as Domain Controllers. The PDC is responsible for maintaining the integrity of the database and sending regular updates to servers that act as Backup Domain Controllers. The BDC is used for performing account authentication, thus offloading a significant amount of work from the Primary Domain Controller. This is very important for redundancy of large environments, particularly those where a single domain spreads across different physical locations. Having a BDC allows for uninterrupted logins even if the network link to PDC is "down". Samba participates in a domain security mode by virtue of a machine trust account stored in a domain accounts database. This allows a Samba server configured as a BDC to authenticate clients or pass the authentication to the Domain Controller if it is configured as a Domain Member Server. Samba servers must join a Windows based domain before it can be configured for domain security mode. To configure Samba for Domain security mode:

To /etc/samba/smb.conf add:

security = domain
workgroup = <Domain-Name>

On a Windows PDC, use Server Manager to add the Samba server's machine account to the domain database. On the Samba server run:

net rpc join -U administrator%password

It is not necessary to specify the actual domain name using the previous command - this information is retrieved from a smb.conf file. ADS:: ADS security mode dictates that Samba server must join Windows Active Directory domain. To join ADS domain, create Samba server's account in a ADS:

net ads join -U Administrator

Samba is able to join AD domain as an either NT-style AD domain member using NT style security (if AD is running in a native mode) or as a native AD domain member, which requires Kerberos based authentication services. The latter may be required for domains where security policy prohibits RPC based authentication (NT-style). smb.conf entry is:

security = ADS
realm = <some.kerberos.realm>
encrypt passwords = yes

Samba is sometimes not able to identify the authentication server from its Kerberos realm name. This often happens on networks with Linux/UNIX style DNS servers if they are not configured to handle the non-standard DNS requirements of the Windows AD DNS implementation. In this case, add the following parameter to the smb.conf:

password server = <>

Important Notes For Systems With SELinux Enabled

To achieve proper operation of Samba on SELinux enabled systems follow these few rules:

  • If you create a directory that you want to share, label it with the samba_share_t context:
chcon -R -t samba_share_t /home/newdir
Do not change the SELinux context of system directories!
System directories will have different SELinux labels and relabeling them with samba context can severely damage system security and possibly render the system unusable.

To check what context a system directory has, use:

ls -lZd /path-to-systemdir
  • To share a system directory, use one of the following:
setsebool -P samba_export_all_ro on

... to provide read-only shares or ...

setsebool -P samba_export_all_rw on

... to provide read-write access to shares.

  • SELinux disables by default sharing home directories. To enable sharing of home directories, run:
setsebool -P samba_enable_home_dirs on
  • To enable the correct operation of Fedora user account command line utilities such as useradd, which allows Samba to run as a domain controller, run:
setsebool -P samba_domain_controller on

Security Considerations

There are several ways to address the security of a Samba server:

  • Interface protection
  • Host based protection
  • User based protection
  • Firewall protection
Interface Protection

Add the following parameters to the smb.conf to define which interfaces the Samba services listen on:

interfaces = eth0 lo
bind interfaces only = yes

In the example above, Samba will only listen on the loopback interface and the first Ethernet NIC and ignores all other network interfaces that might be present on the system.

Host Based Protection

Samba by default, accepts connections from all hosts. To restrict access to a Samba server from only the desired hosts or subnets, configure the following paarmeters:

hosts allow =
hosts deny =

This will allow access to the Samba server only to localhost and hosts on the 192.168.1. subnet.

User Based Protection

To restrict user access to Samba shares globally, use the following parameter in the [global] section of the smb.conf file:

valid users = user1, otheruser, @smballowed

The above configuration allows access to a Samba server to users user1, otheruser, and users who are members of the smballowed user group.

Firewall Protection

A good practice for securing a Samba server is to use firewall protection combined with Samba-specific protection as described in the previous section. To configure iptables firewall access to a Samba server from the subnet, add the following rules:

iptables -A INPUT -s -p udp -m udp --dport 137 -j ACCEPT
iptables -A INPUT -s -p udp -m udp --dport 138 -j ACCEPT
iptables -A INPUT -s -p tcp -m tcp --dport 139 -j ACCEPT
iptables -A INPUT -s -p tcp -m tcp --dport 445 -j ACCEPT

Samba communicates through:

  • 137/UDP port - used by nmbd for NetBIOS name resolution
  • 138/UDP port - used by nmbd for NetBIOS network browsing
  • 139/TCP port - used by smbd for NetBIOS session service
  • 445/TCP port - used by smbd for Microsoft Active Directory services

Inbound traffic on high-order ports [1024:65535] should be denied except for established connections.

Samba And CUPS (Common Unix Printing System)

For detailed CUPS printing instructions, see Using the Common UNIX Printing System . This section covers some capabilities of the CUPS printing system related to Samba.

Basic Features

Samba is pre-compiled with support for CUPS printing. This integration simplifies print serving to SMB/CIFS clients. In a simple scenario, Samba presents CUPS printer queues to the SMB/CIFS clients and passes received print jobs directly to the CUPS for printing. This scenario assumes the SMB/CIFS clients have the appropriate printer drivers installed and are capable of producing print jobs in a format that the printer device understands. In this scenario, the [global] section of the smb.conf file requires only two parameters:

printing = cups
printcap = cups

Printer devices are configured in the [printers] section. For small environments with few printer devices that do not have any specific printing requirements the default [printers] section be sufficients. Samba and CUPS provide a lot of flexibility and each individual printer can be configured through its own [printer] which overrides settings in the [global] . One common example is the need to allow only a set of users or user groups in the organization to print to a device:

printing = cups
printcap = cups

comment = all printers
path = /var/spool/samba
printable = yes
guest ok = yes
use client driver = yes

comment = color laser
path = /var/spool/samba
browseable = no
printable = yes
guest ok = no
valid users = @marketing, boss
use client driver = yes

In the above example, only the user boss and members of the marketing group are allowed to print to the color laser printer.

Advanced Features

Integration of Samba and CUPS printing allows for advanced configurations that provide robust printing solutions, suitable for enterprise environments. For detailed guides and tutorials about the advanced features, refer to the Additional Information section at the bottom of the page.

Samba Linux Client Utilities

To view the list of SMB/CIFS shares on a particular host, run:

smbclient -L <hostname>

To connect to the Samba share on a particular host, run:

smbclient //<hostname>/<sharename>

...and enter the Samba password when prompted. To connect to the Samba share as a different user, specify the user name as an argument to the -U command option:

smbclient -U <userX> //<hostname>/<sharename>

...and enter userX's samba password when prompted. To mount the Samba share on the local directory, as root run:

mount -t cifs //<hostname>/<sharename> /<localdir> -o user=userX

...and enter userX's samba password when prompted. If mounting Samba share in this fashion, userX will likely encounter various issues with file permissions on the mounted /<localdir>. To avoid these issues, pass the additional options to the mount command:

mount -t cifs //<hostname>/<sharename> /<localdir> -o user=userX,uid=<UID>,file_mode=0644

...where <UID> is a numerical user ID of the userX's local account on the client machine. It is also possible to pass the userX's Samba password as an option to the mount command:

mount -t cifs //<hostname>/<sharename> /<localdir> -o user=userX,password=<password>,uid=<UID>,file_mode=0644

...and avoid the password prompt on every mount attempt. However, this is not recommended, since the actual password might be visible to the others. The recommended way is to use the credentials option:

mount -t cifs //<hostname>/<sharename> /<localdir> -o credentials=<path_to_the_credentials_file>,uid=<UID>,file_mode=0644

The credentials file is an ASCII text file of the format:

The good practice is to create the credentials file with file permissions set to read-only for user root and not accessible to anybody else.

The root is the only user with a permission to run the mount utility. To enable non-privileged users to mount and unmount Samba shares, set SUID on /sbin/mount.cifs and /sbin/umount.cifs. As root, run:

chmod u+s /sbin/mount.cifs /sbin/umount.cifs

Once set, user can use mount.cifs to mount Samba shares:

/sbin/mount.cifs //<hostname>/<sharename> /<localdir> -o credentials=<path_to_the_credentials_file>,uid=<UID>,file_mode=0644

...or umount.cifs to unmount the share:

/sbin/umount.cifs /<localdir>

To mount Samba shares at boot time, edit the /etc/fstab file and add the line:

//<hostname>/<sharename> /<localdir> cifs <option1>,<option2>,...,<optionX> 0 0
The entry in the /etc/fstab file accepts the same set of options as the mount command.

Common Scenarios - Sample Configuration Files

Computer, workgroup, and share names, specified directory paths, user and group names and IP network addresses in the following configuration files are entirely arbitrary.

Read-only shared directory

Requirement: Allow all users to view company's policies on Internet and Email usage, without the ability to alter files.


  1. Create directory /home/common/policies
  2. Copy all related documents to /home/common/policies
  3. Create [policies] section in smb.conf that allows anonymous access

Use the following smb.conf to achieve this:

workgroup = BIGBROTHER
security = share

path = /home/common/policies
read only = yes
guest ok = yes

Small Office Network

Environment: Translation services office with three client PCs (Windows XP) networked in an OFFICESPACE workgroup. MS Word documents and MS Excel spreadsheets are shared from each PC. Network-capable laser printer that accepts direct printing from workstations.

Requirements: Provide central storage for documents, writable for all users and centrally managed raw print queue, with print drivers locally installed on each workstation.


1. Install Fedora and Samba server on a new server 1. Create group officespace on the server:

groupadd officespace

1.#3 Create user milton on the server:

useradd milton
passwd milton
Changing password for user milton.
New UNIX password: ********
Retype new UNIX password: ********
passwd: all authentication tokens updated successfully.

1.#4 Create directory structure that will contain documentation and be shared via Samba:

mkdir -p /data/documents/{translations,spreadsheets}
chown -R milton.officespace /data/documents
chmod -R ug+rwxs,o+rx,o-w /datadocuments

1.#5 Create accounts for three users in the office and add all of them to officespace group.

Steps 2-5 above ensure that directory structure /data/documents has SUID and SGID set on it and that all new files created under it will inherit the set ownership and permissions. This allows all users in the office to alter the content of the files, thus not interfering with the file access permissions.

1.#6 Create CUPS print queue on the server:

lpadmin -p prn1 -v socket:// -E

...and enable CUPS queue for raw printing by uncommenting the line:

#application/octet-stream     application/vnd.cups-raw      0     - a /etc/cups/mime.convs file and uncommenting the line:

#application/octet-stream a /etc/cups/mime.types file.

CUPS print queue may not be fully enabled when created.
It is sometimes necessary to force this by issuing the following commands: cupsenable <print_queue> and cupsaccept <print_queue>

1.#7 Create the following /etc/smb.conf file:

workgroup = OFFICESPACE
netbios name = Stapler
server string = Office Samba Server
security = share
load printers = yes
printing = CUPS
printcap name = CUPS

comment = Office Documentation
path = /data/documents
read only = no
force user = milton
force group = officespace

comment = Laser Print Spool
path = /var/spool/samba
printable = yes
guest ok = yes
use client driver = yes

1.#8 Enable Samba and print daemons at boot time:

chkconfig smb on
chkconfig cups on

...and start both services:

service smb start
service cups start
Always use the testparm utility to test syntax/validity of the Samba configuration file, before starting the service!

1.#9 Reconfigure workstations to become members of the OFFICESPACE workgroup and to use Samba-shared printer.

NT-style Domain

Environment: Corporate headquarters, with 50 users, 60 Windows XP and Fedora client computers, used in Sales and Marketing, Finance, Information Services and Management departments. Several HP Laser Jet printers and a color laser printer. Subnet address is IP addresses - are reserved for various servers, .10 for Samba server. IP addresses are reserved for network printers. DHCP server assigns host address from the address pool - to client computers.


  • NT Domain-like logon services, using encrypted passwords
  • Each department has own file storage area, writable only by users from that department and accessible read-only by Management
  • Each user has own home drive, accessible only by user and not visible by anybody else
  • Common file storage area, writable for all users
  • Server-based user profiles for Windows users, providing the ability to use any Windows PC on the network, while retaining access to their own settings and data
  • Dedicated printers for Management and Finance, not accessible to other departments
  • Dedicated color printer for Marketing

Solution: 1. Install Fedora and Samba server on a dedicated server computer 1. Configure network interface eth0 with the IP address 1. Configure iptables firewall to deny access to all services, except for ports 137, 138 (UDP) and 139, 445 (TCP) 1. Create the following directories for Samba shares:

mkdir /home/{management,finance,technical,sales,general}

...and the directory for storing user profiles:

mkdir -p /home/samba/profiles

1.#5 Create user groups: management, sales, finance, technical, general:

for i in management sales finance technical general
do groupadd $i

...and corresponding user accounts, needed for simplified management of file permissions on shared directories:

for i in management sales finance technical general
do useradd -g $i $i

1.#6 Create Linux accounts for users, so that a user's primary group is the user's department group and a secondary group is general. Windows users do not need a shell environment on a Samba server while IS team members all use Fedora clients and often require access to the Samba server through terminal based SSH sessions, thus need full a shell environment on the server. Examples:

useradd -g finance -G general -d /home/users/payroll_guy -s /bin/false payroll_guy
useradd -g technical -G general -d /home/users/stickster -s /bin/bash stickster

1.#7 Set Linux passwords for each user:

passwd <username>
Having a Linux password is a prerequisite to creating Samba passwords for users, using the smbpasswd utility.
If a user's Linux password does not exist, the smbpasswd -a <username> command is ignored and the Samba password is not set.

1.#8 Set the appropriate file and directory permissions on shared directories:

chown -R /home/finance
chmod -R ug+rwxs,o+rx,o-w /home/finance
chown -R /home/management
chmod -R ug+rwxs,o-rwx /home/management
chown -R sales.sales /home/sales
chmod -R ug+rwxs,o+rx,o-w /home/sales
chown -R technical.technical /home/technical
chmod -R ug+rwxs,o+rx,o-w /home/technical
chown -R general.general /home/general
chmod -R ug+rwxs,o+rx,o-w /home/general
chmod o+rwt /home/samba/profiles
/home/samba/profiles directory must be world-writable for "on-the-fly" creation of the individual profile directories.
The "Sticky bit" t on this directory prevents users with write permission on the directory to rename or delete files or directories contained within this directory if the user is not the file or directory owner.

1.#8 Create appropriate CUPS print queues:

lpadmin -p prn1 -v socket:// -E
lpadmin -p prn2 -v socket:// -E
lpadmin -p prn3 -v socket:// -E
lpadmin -p prn4 -v socket:// -E

for i in prn{1,2,3,4}
do cupsenable $i

for i in prn{1,2,3,4}
do cupsaccept $i

1.#9 Configure SELinux to allow Samba shares. Allow sharing of previously created directories:

for dir in management finance technical sales general; do chcon -R -t samba_share_t /home/$dir; done

Enable sharing of home directories:

setsebool -P samba_enable_home_dirs on

Enable Samba Domain operations:

setsebool -P samba_domain_controller on

1.#10 Move default smb.conf file and use it as a help reference:

mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

1.#11 Create new /etc/samba/smb.conf file:


workgroup = CORPHQ
netbios name = WEREWOLF
server string = Corporate Samba Domain Controller

admin users = root, stickster

hosts allow =

printing = cups
printcap name = cups
load printers = yes

log file = /var/log/samba/%m.log

max log size = 50

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

security = user
passdb backend = tdbsam
domain logons = yes
domain master = yes

logon path = \\%L\Profiles\%U

logon drive = H:

add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

name resolve order = wins lmhosts bcast

wins support = yes

wins proxy = no

hide dot files = yes

comment = Home Directories
browseable = no
writable = yes

path = /home/samba/profiles
read only = No
create mask = 0700
directory mask = 0700

comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
printable = yes
use client driver = yes

comment = Managment Share
browseable = yes
writable = yes
path = /home/management
valid users = @management
force user = management
force group = management
create mask = 0770
directory mask = 0770

comment = Finance Share
browseable = yes
writable = yes
path = /home/finance
valid users = @finance
read list = @management
force user = finance
force group = finance
create mask = 0770
directory mask = 0770

comment = General Share
browseable = yes
writable = yes
path = /home/groups/general
valid users = @general
read list = @management
force user = general
force group = general
create mask = 0770
directory mask = 0770

comment = Technical Share
browseable = yes
writable = yes
path = /home/groups/technical
valid users = @technical
read list = @management
write list = @technical
force user = technical
force group = technical
create mask = 0775
directory mask = 0775

comment = Sales And Marketing Share
browseable = yes
writable = yes
path = /home/groups/sales
valid users = @sales
read list = @management
force user = sales
force group = sales
create mask = 0770
directory mask = 0770

comment = Management Department Printer
path = /var/spool/samba
browseable = no
printable = yes
guest ok = no
valid users = @management
use client driver = yes

comment = Finance Department Printer
path = /var/spool/samba
browseable = no
printable = yes
guest ok = no
valid users = @finance
use client driver = yes

comment = Sales Department Printer
path = /var/spool/samba
browseable = no
printable = yes
guest ok = no
valid users = @sales
use client driver = yes

1.#12 Create Samba accounts for all users:

smbpasswd -a <username>

Enter the user's password when prompted.

1.#13 Enable the Samba and print daemons at boot time:

chkconfig smb on
chkconfig cups on

...and start both services:

service smb start
service cups start

Additional Information

Detailed Samba documentation, tutorials and FAQs are located at:

Related Web Sites

Related Manuals

Find more about specific Samba daemons and client-side utilities from the man pages included with Samba installation:

  • smbd(8)
  • nmbd(8)
  • winbindd(8)
  • samba_selinux(8)
  • smb.conf(5)
  • smbclient(1)
  • smbstatus(1)
  • smbpasswd(8)
  • findsmb(1)
  • nmblookup(1)
  • net(8)
  • smbtar(1)
  • testparm(1)

Further Reading

For aspiring and accomplished Samba administrators, some essential reading is: Using Samba 2nd edition . It covers Samba releases 2.2.x and 3.0.x.

Administering Samba in a large environment would most likely include fair amount of Windows administration, too!