A Quick Start to Samba

NOTE. This article is somewhat dated. I have two other articles that might also be useful to the beginner. One deals with some common problems when using samba with Fedora and the other one is about using Samba in a Windows Active Directory domain.

Samba is one of those things that isn't that hard to set up for the home network. Both at home and at work, I primarily use samba to store files and as print server on a *nix box for MS clients. Therefore, most of this article is about accessing the *nix box from Windows.

Additionally, you'll see that I don't mention Swat, the graphic tool to manage Samba. I'm used to editing configuration files, and have found (not with Swat, but in other cases) that GUIs don't always work the way they're supposed to work. I guess I'm getting more traditional in my old age.

There is a good deal of documentation available at samba.org. Most distributions also install documentation.

I primarily use samba 3.x on FreeBSD. I will mention a few of the changes between samba 2.x and 3.x in the course of the article. FreeBSD puts most things in /usr/local. Your system might be different. For example, in most Linux distibutions, samba configuration files are in /etc or /etc/samba. It might be called smb.conf, smb.conf.sample, or something similar. The file that samba will actually use is smb.conf, so if it has some sort of other name such as sample, default or the like, make a copy and call the copy smb.conf.

Much of the file will have samples and reasonable defaults. Comments are either done by prefacing the line with a semicolon or # sign.>p>

We already have the /tmp directory, which is mode 777 (everyone can read and write to it) by default. Let's create a directory called samba that we can use for testing. We can do a 777 on this one too, for the moment--at this point, we're just trying to get Samba working

mkdir /tmp/samba
chmod 777 /tmp/samba

Ok, we now have a directory called samba. For the moment, let's assume you have the user john on the Windows box. His password is password. So, the next step is to create the user john on the samba box. As root

adduser john

Depending upon your distro, you'll be asked for various things---you can usually settle for the defaults. The password can be different than his password on the MS box.

Next, we have to add john to the smbpasswd file.

This is one change between samba 2 and 3. In samba 2, the usual method was

smbpasswd -a john

The first time you add a user with smbpasswd you'll get some sort of error message that the file doesn't exist--this can safely be ignored. You'll be asked for confirmation of the password. This password has to be the same as his password on the MS box. It can be different than his usual Linux password.

The biggest change that I've noted from my own fairly simple use of samba is that smbpasswd is deprecated. In smb.conf there is an entry passdb backend = The comments explain it fairly well. You can still use smbpasswd and put it there, use the default of tdbsam or use ldapsam. If using the suggested tdbsam you can leave the line alone.

To use tdbsam instead of smbpasswd -a you would use

pdbedit -a -u john

This will add username john's MS password. There are various ways to migrate your smbpasswd data base to tdbsam but that's beyond the scope of this simple article.

As user john, place a file in the /tmp/samba directory. Open up your favorite text editor and type something profound like hello world. Save it as /tmp/samba/hello.txt

Ok, we're ready to start playing with smb.conf Look at the line in [global]

workgroup = MYGROUP

That is Samba's default--Windows' default is WORKGROUP. You can change smb.conf to read WORKGROUP or change MS's to read MYGROUP, which will probably involve a restart. I usually change the MS name--don't remember when I got into that habit, but it's my habit. (I recently noticed that Mark Minasi, well known MS author, in his book about Linux for the NT Admin also agrees with that.)
Gentoo, at least at one point, changed the default to the MS default WORKGROUP. I don't know if that's still the case.

In older versions of samba, there was a commented line in the configuratoin file for encrypted passwords. As every Windows system from Win98 Second Edition needs encrypted passwords enabled in samba to work, encrypted passwords are enabled by default. (Windows 95 and the original Windows 98 didn't need them.) Look at the sample [tmp] section in smb.conf. The default path is /tmp. While testing it, change it to /tmp/samba and uncomment it.

For the home network, there's a good chance that that's all you'll have to edit. I think Samba rereads smb.conf every 60 seconds or so, but have also heard that it can be problematic, so let's force it to reread it by restarting it. First, however, we type, at a command prompt


That will take a glance at smb.conf for us and make sure that we haven't committed any grievous syntax errors. Hopefully, it'll tell you that it's ok. Now to restart Samba

In FreeBSD, assuming you've enabled Samba in /etc/rc.conf
/usr/local/etc/rc.d/samba restart

You should see that both smbd and nmbd are stopping and restarting.

Next we'll try


Once again try smbstatus. We want to get something like
Samba version 2.2.0a
Service      uid      gid      pid     machine

No locked files

Many default filewalls, usually chosen during installation, won't allow Samba to go over the network. To fix this, we now have to modify pf, iptables or whatever you're using. For pf, you can see my pf page.

Almost all Linux distributions now have a graphic interface for modifying iptables, but if not, this might help

Do a listing of iptables with line numbers

iptables -L -n --line-numbers

See where the first rejection is, it's usually around line 4 or 5. So, if your network is one of 192.168.1.x and the first line rejecting things is at line 5 at a command prompt type

iptables -I INPUT 5 -s -p udp -d 0/0 --dport 137:139 -j ACCEPT
iptables -I INPUT 6 -s -p tcp --syn -d 0/0 --dport 137:139 - ACCEPT

If you're going to be using Samba all the time, you'll want to make these changes permanent. In RH, it used to be (not sure if this this still the case in Fedora)
>iptables-save > /etc/sysconfig/iptables

However, keep in mind that this does open port 139, used for RPC (remote procedure calls) and considered, according to grc's website a security risk.

Another thing that sometimes becomes necessary is to go to your /etc/hosts file and add your machine's name to it. So, let's say that john's Linux box is called john.localhost. If we open /etc/hosts with a text editor we'll see something like

# $FreeBSD: src/etc/hosts,v 1.16 2003/01/28 21:29:23 dbaker Exp $
# Host Database
# This file should contain the addresses and aliases for local hosts that
# share this file.  Replace 'my.domain' below with the domainname of your
# machine.
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
::1			localhost localhost.my.domain		localhost localhost.my.domain 
# Imaginary network.
#		myname.my.domain myname
#		myfriend.my.domain myfriend
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#	-
#	-
#	-
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers.  Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)

Under that line we add the machine's IP address. If for example, it's we add john.localdomain john

The entry is the IP address, the machine's full name and then the alias (which is what Windows will be using.)

Next let's try smbclient -L john -N

If a username and password are required, then the syntax would be, if the username was robert
smbclient -L john -U robert 

It will then ask for robert's password.

(This might have the same effect as adding that "john" entry to /etc/hosts.) Hopefully, you'll get a message showing sharename, etc.

Now, let's go over to the Windows box. We'll start with, again assuming that the machine john is

nbtstat -a

With luck you'll get back something like:
 JOHN          <00>  UNIQUE      Registered
 JOHN          <03>  UNIQUE      Registered
 JOHN          <20>  UNIQUE      Registered
 MYGROUP   <00>  GROUP       Registered
 MYGROUP   <1E>  GROUP       Registered

 MAC Address = 00-00-00-00-00-00

If we do, that's a good sign that things are going well.

Try net view \\john

If you see
Shared resources at \\john

Samba Server

Share name  Type  Used as  Comment

tmp         Disk
The command completed successfully.

then you're in good shape.

Now, go into Network Neighborhood, or My Network Places and see if the Samba server is visible. You might see John's home directory, but it may be inaccessible. You should, however, also see one tmp on Samba Server (john) that should be accessible. Double click on it and see if you see your hello.txt. If so, see if you can open it and write to it. If so, you're done.

There used to be, in the samba docs, (usually in /usr/share/doc (this depends upon OS and distro--for example, in FreeBSD it's in /usr/local/share/doc/samba) a very helpful document called DIAGNOSIS.txt. It gave several troubleshooting tips. This seems to have been replaced by a Trouble Shooting section in the Samba-HOWTO-Collection.pdf. You'll need xpdf or another pdf reader for it. The Howto collection can also be found online at samba.org. The troubleshooting guide is here at time of writing. (March 2008)

Hopefully, your Samba is now working. Now that we've tested it successfully, we can get rid of that /tmp/samba directory that is open to all.

rm -r /tmp/samba

After doing this, I usually go back into /etc/samba/smb.conf and recomment the /tmp section, replacing the semicolons in front of the lines. Next, I uncomment the homes section. (I leave the browseable = no ). This allows user John to use the /home/john directory on the Samba box.

Running testparm will give a message that there's no /tmp path, and it is using the default /tmp but I haven't found this to be a problem

Accessing the Windows box from the Linux box

This is one that I haven't done too frequently. However, on occasion I've downloaded something while in Windows that I needed to transfer to another Linux box. So, there's a few ways to do this. The quick and dirty way is the way that I've done it without problem.

So, first share the directory--errr, folder, on your Windows box. For this example, on the Windows box, which will be named john1, we're sharing a folder called downloads. So, first share the folder. In Win9x, right click Network Neighborhood, left click Properties click the file and print sharing button, and you'll get a dialog box saying I want to give others access to my files. Click it, set up the password for the files, click Ok, and possibly apply. You'll have to restart.

On NT, 2K and XP you right click the folder in My Computer, click sharing and security, and the rest is pretty obvious. If you have any trouble with it, then look at the 2K or XP help files, which are far less obscure than the Linux man pages, under file sharing.

Now, on the Linux box

smbclient //john1/downloads

This can also be done with backslashes as in standard MS UNC (Universal Naming Convention) paths. However, if done that way, each backslash has to be doubled, since Unix treats it as an escape character, meaning a character that tells you to ignore the special characteristics of the following character. So, if you really want to use backslashes

smbclient \\\\john1\\downloads

You should get something back like

Unknown parameter encountered: "ssl CA certFile"
Ignoring unknown parameter "ssl CA certFile"
added interface ip= bcast= nmask=
Got a positive name query response from ( )
Domain=[MYGROUP] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

The part about the ssl CA certfile can be ignored on a home network--this has to do with security certificates.

You're now connected to the windows box. In this case, we're simply copying a file to user john's home directory. So, let's say the file is file.tar.gz.

get file.tar.gz

This will copy the file over to the directory that you were in when you started this command. So, if you logged in as user john, the file will now be in /home/john

Keep in mind that the user john must have an account on the john1 Windows box. Suppose John's friend Bob also has an account on the Linux box but no account on the Windows one. If he tries to connect the Windows box this way, once he types in the password, even if it's the correct password, he'll still get an access denied error if he logged onto the Linux machine as bob.

The other way to do this is to mount the share. I think you can configure /etc/fstab to do this automatically, but as I have small use for it, I haven't looked into it. As long as you have support for smbfs compiled into your kernel you could first make a directory for it

mkdir /mnt/smb
Then you can mount the share

mount -t smbfs -o username=john,password=password //john1/downloads /mnt/smb

Of course, you usually have to be root to mount something, so that raises other nuisances--therefore, I've only done it this way once. I suspect that if you had a real need for it, the easiest way would be to edit /etc/fstab, which I haven't investigated. I've heard that you can get around this using smbmount instead of mount, but again, I haven't played with it.

FreeBSD has slightly different syntax. With that, I've only used it to mount shares in an NT domain. I've always found using NETBIOS names with this to be a bit iffy, so I usually use the IP address. (However, for the user name, I use the NETBIOS name as shown in the example below)

So, say I want to mount a share called common, on an NT server that has the IP address of The server's NETBIOS name is BDC2. I have a directory in my home directory called common. My user name on the NT domain is john and my password is 1234.

mount_smbfs -I //john@BDC2/common common

You can view the man mount_smbfs page for more information on other options, but this works for me.

In Linux, the syntax would be somewhat different. The simplest is probably
mount -t smbfs -o username=john,password=1234 // common

If your browser broke that, it should be on one line. You can leave out the password and simply be prompted for it after typing the command. Note that if you do include both the username and password in the -o section, it should be typed as I have it, with no space between the comma separating john and password. If the samba server is in your /etc/hosts, that is, if you can ping it by name (rather than IP) you can substitute the machine name for the IP address in the above example.


I've done very little with printing and samba. At work, we're still using NT servers, although I've set up a few folks on some FreeBSD servers that we're going to use.

In RedHat, it pretty much worked out of the box. I installed the cups RPM, added the printer (a locally connected HP Deskjet 840c) through the web interface, and I think it worked. (It was quite awhile ago, so I'm not sure of the exact details). These days, however, I just use FreeBSD as a print server. For the basic setup, I'm going to send you to The excellent Gentoo Desktop Guide. In the printing section, although it's specific to Gentoo Linux, he gives the basic configurations using cups and samba. One thing to keep in mind is that cups uses port 631, so you may have to add an iptables rule that allows it. Follow the same syntax given above, for allowing ports 137:139 (although with cups, just allowing protocol -tcp should be sufficient).

I've also sometimes gotten a message on the MS box that access will be denied, though you will still be able to print. Some who saw this article sent me a quick email (To the person who sent it, I'm sorry I didn't follow up at the time, and therefore cannot give you proper credit.)
He pointed out that adding the lines

use client driver = yes

to smb.conf gets rid of that access denied error message.

The last thing I'll mention has to do with the 840c HP Deskjet. For some reason (I never researched this thoroughly, just found out about it and found that it worked) it doesn't work with the 840c driver on Win2k. However, if you install it as a 660c everything works as it should. Recently, I had to reinstall Win2k, had forgotten about this, and spent two days examining cups and samba logs, trying to figure out what was wrong. Reinstalling it as a 660c fixed the problem immediately. This also holds for WinXP.

Directory Permission Issues

One thing that seems to, judging from mailing lists and forums, get missed, is what do to about users creating files. For instance, if I have the samba share /usr/smiths I want everyone from the smiths group to be able to read and write to it. However, if user jsmith creats a file, no one else can write it.

There are a few options in smb.conf to take care of this. They are user mask, directory mask, force create mode and force directory mode. In this case, I find that what works best for me is adding the lines

force create mode = 0770
force directory mode = 0770

This way, if jsmith creates a file or directory in the smiths directory, everyone can write to it. (In this particular situation, this is what we want, if you don't want that, you can leave things at the default and only jsmith can write to his own files and directories.)

WINS Servers

I ran into this one recently at work. Our NT WINS server is aging, and we decided to replace it with a FreeBSD box running samba. This was trivial. I had to add the line--err, no, I think I just had to uncomment it--that says
wins support = yes

Believe it or not, if all the clients are MS clients, that's all that has to be done. In our case, the only trouble was with the other samba servers. According to the samba docs, one can add them to the wins.dat database (in FreeBSD, found in /var/db/samba) but it didn't seem to be working. Rather than research it, as all the samba boxes have all the others in their /etc/hosts, I just added the line

name resolve order = wins host

to smb.conf. This fixed it so that the MS clients were able to find the samba servers.

When in Doubt, RTFM

If you have special needs, you might find that reading man(5) smb.conf will help. There are many options not included in the sample default smb.conf.

For example, I had a situation where I wanted a directory where two people could write, delete and alter files. There were a few other people who had to have read access. We wanted everyone else kept out.

A quick look at man(5) smb.conf showed me the read list option. In this case, suppose the directory was called accounting. I wanted the two accountants to have full control of files in the directory and I also wanted the 5 people in sales to have read access. So, I created the directory with 770 permissions, full control for owner and group. I left the owner at root. I created a group called acctsales and added the 2 accountants and 5 salespeople. Now, I add the read list option to that share's section in smb.conf. In our example, the salespeople have user names of bob, carol, ted, alice and john. We add their names, separated with commas, to the read list for the acctsales share.
read list = bob, carol, ted, alice, john

Now, even though the directory has 770 permissions, bob, carol, ted, alice and john can only read files in the directory, they can't write to them.

Well, that's about it. Hopefully, this will enable you to get your Samba network up and running. For more sophisticated uses, there is a great deal of documentation, but it is my hope that this page gets you started.