Server

Samba

Overview

Samba is an open-source file server software that implements Windows SMB/CIFS protocols on Linux/UNIX systems. It enables seamless file sharing between Linux servers and Windows clients, providing Active Directory integration, printer sharing, and domain controller functionality. Released under GPL v3 license, it is widely adopted as a standard solution for hybrid network environments in enterprise settings. Version 4 fully implements Active Directory Domain Controller functionality, achieving complete integration between Windows domains and Linux systems.

Details

Samba 2025 edition maintains its solid position as the definitive cross-platform file sharing solution. With over 25 years of development experience, it boasts mature protocol implementation and excellent stability, being widely trusted in enterprise environments. Complete implementation of SMB/CIFS protocols allows Windows clients to transparently access Linux server resources. Active Directory integration enables complete integration with existing Windows domain environments, realizing single sign-on (SSO), centralized authentication, and group policy management. It comprehensively supports enterprise-grade file server features including printer sharing, file locking, access control lists (ACLs), and encrypted communication.

Key Features

• Complete SMB/CIFS Implementation: Transparent integration with Windows environments
• Active Directory Integration: Domain joining, SSO, and group policy support
• Domain Controller Functionality: Complete AD DC implementation with Samba 4
• Advanced Security: Kerberos authentication, LDAP integration, ACL control
• Printer Sharing: Network printer sharing through CUPS integration
• Flexible Configuration: Detailed access control and sharing configuration options

Pros and Cons

Pros

• Overwhelming adoption rate as the standard for Windows file sharing in Linux environments
• Complete integration with existing Windows Active Directory environments
• Low-cost enterprise deployment through open-source licensing
• Rich documentation and community support
• High stability and proven track record in enterprise environments
• Standard for file sharing in hybrid cloud environments

Cons

• Requires specialized knowledge for initial setup and Active Directory integration
• Many features depend on Windows domain environments
• Complex performance tuning in large-scale environments
• Need attention to configuration compatibility during version upgrades
• Risk of configuration errors due to complex security settings
• Management complexity in mixed environments with other protocols (NFS, etc.)

Reference Pages

• Samba Official Website
• Samba GitLab Repository
• Ubuntu Server Samba Guide

Code Examples

Installation and Basic Setup

# Installation on Ubuntu/Debian
sudo apt update
sudo apt install samba samba-common-bin

# Installation on CentOS/RHEL/Fedora
sudo dnf install samba samba-client samba-common

# Check service status
sudo systemctl status smbd nmbd

# Enable and start services
sudo systemctl enable smbd nmbd
sudo systemctl start smbd nmbd

# Check version
samba --version

# Check configuration file syntax
testparm

Basic Share Configuration (/etc/samba/smb.conf)

# Global settings
[global]
   workgroup = WORKGROUP
   server string = Samba Server %v
   netbios name = fileserver
   security = user
   map to guest = bad user
   dns proxy = no
   
   # Unicode filename support
   unix charset = UTF-8
   
   # Logging settings
   log file = /var/log/samba/log.%m
   max log size = 1000
   log level = 0 auth:2 sam:2

# Public share (no authentication)
[public]
   comment = Public Share
   path = /srv/samba/public
   browsable = yes
   writable = yes
   guest ok = yes
   read only = no
   force create mode = 0666
   force directory mode = 0777

# Private share (authentication required)
[private]
   comment = Private Share
   path = /srv/samba/private
   browsable = yes
   writable = yes
   guest ok = no
   valid users = @sambausers
   force create mode = 0664
   force directory mode = 0775
   create mask = 0664
   directory mask = 0775

# User home directories
[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %S

User Management and Security Configuration

# Create Samba user group
sudo groupadd sambausers

# Create system user
sudo useradd -M -d /srv/samba/users/john -s /usr/sbin/nologin john
sudo usermod -a -G sambausers john

# Set Samba password
sudo smbpasswd -a john
sudo smbpasswd -e john  # Enable user

# List users
sudo pdbedit -L

# Show user details
sudo pdbedit -u john -v

# Delete user
sudo smbpasswd -x john
sudo userdel john

# Create share directories and set permissions
sudo mkdir -p /srv/samba/{public,private}
sudo chmod 777 /srv/samba/public
sudo chmod 775 /srv/samba/private
sudo chown -R root:sambausers /srv/samba/private

# SELinux configuration (CentOS/RHEL)
sudo setsebool -P samba_enable_home_dirs on
sudo setsebool -P samba_export_all_rw on
sudo semanage fcontext -a -t samba_share_t "/srv/samba(/.*)?"
sudo restorecon -R /srv/samba

Active Directory Integration Setup

# Install required packages (Ubuntu)
sudo apt install krb5-user krb5-config winbind

# Kerberos configuration (/etc/krb5.conf)
cat > /etc/krb5.conf << 'EOF'
[libdefaults]
    default_realm = COMPANY.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

[realms]
    COMPANY.LOCAL = {
        kdc = dc1.company.local
        admin_server = dc1.company.local
    }

[domain_realm]
    .company.local = COMPANY.LOCAL
    company.local = COMPANY.LOCAL
EOF

# Active Directory join configuration (/etc/samba/smb.conf)
cat > /etc/samba/smb.conf << 'EOF'
[global]
   security = ADS
   realm = COMPANY.LOCAL
   workgroup = COMPANY
   winbind separator = +
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   winbind nested groups = yes
   winbind refresh tickets = yes
   winbind offline logon = true
   template shell = /bin/bash
   template homedir = /home/%D+%U
   idmap config * : backend = tdb
   idmap config * : range = 10000-299999
   idmap config COMPANY : backend = rid
   idmap config COMPANY : range = 300000-999999
EOF

# Join domain
sudo net ads join -U administrator

# Configure Winbind
sudo systemctl enable winbind
sudo systemctl start winbind

# NSS configuration (/etc/nsswitch.conf)
sudo sed -i 's/passwd:.*compat/passwd: compat winbind/' /etc/nsswitch.conf
sudo sed -i 's/group:.*compat/group: compat winbind/' /etc/nsswitch.conf

# Verify AD users
wbinfo -u
wbinfo -g
getent passwd COMPANY+administrator

Advanced Configuration and Performance Tuning

# High performance settings (/etc/samba/smb.conf)
[global]
   # Protocol settings
   min protocol = SMB2_10
   max protocol = SMB3_11
   
   # Performance tuning
   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=524288 SO_SNDBUF=524288
   read raw = yes
   write raw = yes
   max xmit = 65535
   dead time = 15
   getwd cache = yes
   
   # Locking settings
   kernel oplocks = no
   level2 oplocks = yes
   oplocks = yes
   
   # VFS modules
   vfs objects = acl_xattr, catia, streams_xattr
   
   # Encryption settings
   smb encrypt = desired
   
   # Logging settings
   log level = 1 auth:2 winbind:2

# High-speed share configuration example
[fastshare]
   comment = High Performance Share
   path = /srv/samba/fast
   read only = no
   browseable = yes
   
   # Performance optimization
   use sendfile = yes
   aio read size = 16384
   aio write size = 16384
   aio write behind = true
   
   # Cache settings
   write cache size = 262144
   
   # Sync settings
   sync always = no
   strict sync = no
   
   # ACL settings
   inherit acls = yes
   inherit permissions = yes
   map acl inherit = yes

Monitoring and Troubleshooting

# Check connection status
sudo smbstatus

# List shares
smbclient -L localhost -U%

# Test connection to specific share
smbclient //localhost/public -U%

# Test configuration file
testparm -s

# Monitor logs
sudo tail -f /var/log/samba/log.smbd
sudo tail -f /var/log/samba/log.nmbd

# Performance statistics
sudo smbstatus --processes
sudo smbstatus --locks

# Network diagnostics
sudo netstat -tlnp | grep :445
sudo netstat -tlnp | grep :139

# Firewall configuration (UFW)
sudo ufw allow samba

# Firewall configuration (firewalld)
sudo firewall-cmd --permanent --add-service=samba
sudo firewall-cmd --reload

# Process management
sudo systemctl reload smbd nmbd winbind
sudo systemctl restart smbd nmbd winbind

# Active Directory connection verification
net ads testjoin
wbinfo -t
kinit administrator
klist

Security Hardening and Best Practices

# SSL/TLS certificate setup
sudo mkdir -p /etc/samba/tls
sudo openssl req -new -x509 -days 365 -nodes \
    -out /etc/samba/tls/smbd.pem \
    -keyout /etc/samba/tls/smbd.key

# Set certificate permissions
sudo chmod 600 /etc/samba/tls/smbd.key
sudo chmod 644 /etc/samba/tls/smbd.pem

# Add security settings (/etc/samba/smb.conf)
cat >> /etc/samba/smb.conf << 'EOF'

# TLS settings
tls enabled = yes
tls keyfile = /etc/samba/tls/smbd.key
tls certfile = /etc/samba/tls/smbd.pem

# Security hardening
ntlm auth = disabled
lanman auth = no
client plaintext auth = no
client ntlmv2 auth = yes
client use spnego = yes

# Access control
restrict anonymous = 2
null passwords = no
obey pam restrictions = yes

# Audit logging
full_audit:prefix = %u|%I|%m|%S
full_audit:success = open opendir
full_audit:failure = all
full_audit:facility = LOCAL7
full_audit:priority = NOTICE
EOF

# Regular backup script example
cat > /etc/cron.daily/samba-backup << 'EOF'
#!/bin/bash
# Samba configuration backup
BACKUP_DIR="/backup/samba/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR

# Backup configuration files
cp -r /etc/samba/ $BACKUP_DIR/
cp /etc/krb5.conf $BACKUP_DIR/
cp /etc/nsswitch.conf $BACKUP_DIR/

# Backup user database
tdbbackup -s .bak /var/lib/samba/private/passdb.tdb
cp /var/lib/samba/private/passdb.tdb.bak $BACKUP_DIR/

# Remove old backups (30 days retention)
find /backup/samba/ -type d -mtime +30 -exec rm -rf {} \;
EOF

chmod +x /etc/cron.daily/samba-backup