SMB / Samba

SMB (Server Message Block) is a network protocol for file, printer, and serial port sharing; Samba is the open-source implementation that brings full SMB support to Linux, including Active Directory domain controller capabilities.

Addresses below are RFC 5737 documentation ranges or placeholders - swap in your own.

Table of Contents#

1. Overview
2. SMB Protocol Versions
3. Samba 4 as Active Directory Replacement
4. Server Installation
5. Basic Share Configuration
6. User Management
7. Encryption and Security
8. VFS Modules
9. Performance Tuning
10. Audit Logging
11. Client Configuration
12. Windows Interoperability
13. Troubleshooting
14. See Also
15. Sources

1. Overview#

SMB is an application-layer network protocol originally developed by IBM and later extended by Microsoft. It provides shared access to files, printers, and named pipes between network nodes. The protocol operates primarily over TCP port 445 (direct hosting) and optionally over TCP port 139 (NetBIOS session service, legacy).

Samba is the standard open-source SMB implementation for Linux and other UNIX-like systems. It enables:

• File and printer sharing with Windows, macOS, and Linux clients
• Active Directory domain controller functionality (Samba 4)
• Winbind integration for mapping Windows users to UNIX accounts
• NT-style ACLs and Windows Security Descriptor support

2. SMB Protocol Versions#

SMB 3.1.1 Features#

SMB 3.1.1 is the current recommended protocol version. Key improvements:

• Pre-authentication integrity - SHA-512 hash chain prevents man-in-the-middle downgrades during negotiation
• AES-128-GCM and AES-256-GCM encryption - faster authenticated encryption (replacing AES-128-CCM)
• Mandatory secure negotiation - server can refuse connections that do not negotiate securely
• POSIX extensions - optional POSIX byte-range locks, case-sensitive filenames, symlink support (used by Linux clients)

Enforcing Minimum Version#

# /etc/samba/smb.conf [global]
server min protocol = SMB3_00
client min protocol = SMB3_00

3. Samba 4 as Active Directory Replacement#

Samba 4 can function as a full Active Directory Domain Controller, providing:

• Kerberos KDC - Heimdal Kerberos for authentication
• LDAP directory - integrated LDB database compatible with AD LDAP schema
• DNS - integrated DNS server or BIND DLZ backend
• Group Policy - basic GPO support
• Schema extensions - AD schema replication from Windows DCs

Provisioning an AD DC#

# Install Samba with AD DC support
sudo apt install -y samba smbclient winbind krb5-user

# Provision the domain
sudo samba-tool domain provision \
  --use-rfc2307 \
  --realm=EXAMPLE.COM \
  --domain=EXAMPLE \
  --server-role=dc \
  --dns-backend=SAMBA_INTERNAL \
  --adminpass='<password>'

# Start the Samba AD DC service
sudo systemctl enable --now samba-ad-dc

Joining an Existing AD Domain (as member server)#

sudo samba-tool domain join EXAMPLE.COM MEMBER \
  -U Administrator --realm=EXAMPLE.COM

Limitation: Samba 4 AD DC does not yet support AD trust relationships with full forest trust, and schema compatibility may vary with newer Windows Server versions. Test thoroughly before replacing a Windows DC in production.

4. Server Installation#

Debian/Ubuntu#

sudo apt update
sudo apt install -y samba

RHEL/CentOS/Rocky#

sudo dnf install -y samba samba-common samba-client

Arch Linux#

sudo pacman -S samba

Enable and Start#

sudo systemctl enable --now smbd nmbd

5. Basic Share Configuration#

Edit /etc/samba/smb.conf:

[global]
workgroup = WORKGROUP
server string = Samba File Server
security = user
map to guest = never
server min protocol = SMB3_00

[shared]
path = /srv/samba/shared
browsable = yes
read only = no
valid users = @smbusers
create mask = 0664
directory mask = 0775

Validate and apply:

# Check for syntax errors
testparm

# Restart services
sudo systemctl restart smbd

Common Share Parameters#

6. User Management#

Samba maintains its own user database (passdb) separate from the system password file.

# Add a Samba user (must already exist as a system user)
sudo smbpasswd -a <username>

# Enable a disabled user
sudo smbpasswd -e <username>

# Disable a user
sudo smbpasswd -d <username>

# Delete a Samba user
sudo smbpasswd -x <username>

# List Samba users
sudo pdbedit -L -v

Using tdbsam (Default Backend)#

The default tdbsam backend stores credentials in /var/lib/samba/private/passdb.tdb. For larger deployments, consider LDAP-backed passdb via ldapsam.

7. Encryption and Security#

Transport Encryption#

# /etc/samba/smb.conf [global]

# Require encryption for all connections (SMB 3.0+)
server smb encrypt = required

# Per-share encryption
[confidential]
path = /srv/samba/confidential
smb encrypt = required

Encryption options:

Signing#

# Require message signing to prevent tampering
server signing = mandatory
client signing = mandatory

Restricting Protocols#

# Disable insecure protocols
server min protocol = SMB3_00
client min protocol = SMB3_00

# Restrict to SMB 3.1.1 only
server min protocol = SMB3_11
server max protocol = SMB3_11

Restricting Network Access#

# Only allow connections from specific subnets
hosts allow = 192.0.2.0/24 198.51.100.0/24
hosts deny = ALL

8. VFS Modules#

VFS (Virtual File System) modules extend Samba's functionality by intercepting filesystem operations. Modules are loaded per-share or globally.

Example: macOS Time Machine Share#

[timemachine]
path = /srv/samba/timemachine
browsable = yes
read only = no
valid users = @tmusers
vfs objects = fruit streams_xattr
fruit:time machine = yes
fruit:time machine max size = 500G

Example: Recycle Bin#

[shared]
path = /srv/samba/shared
vfs objects = recycle
recycle:repository = .recycle/%U
recycle:keeptree = yes
recycle:versions = yes
recycle:maxsize = 0

9. Performance Tuning#

Socket Options#

# /etc/samba/smb.conf [global]
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072

Note: On modern kernels with auto-tuning, overly specific socket options can reduce performance. Test with and without custom settings.

SMB Multichannel#

SMB Multichannel (SMB 3.0+) aggregates bandwidth across multiple network interfaces:

# Enable multichannel (enabled by default in Samba 4.15+)
server multi channel support = yes

Requirements: multiple NICs or multiple IP addresses on both server and client.

Asynchronous I/O#

# Use kernel AIO for better throughput
aio read size = 1
aio write size = 1

Oplocks and Leases#

Opportunistic locks allow clients to cache data locally, reducing network round trips:

# These are enabled by default; verify they are not disabled
oplocks = yes
level2 oplocks = yes

Large Read/Write Sizes#

# Increase maximum read/write chunk size
max xmit = 65535
read raw = yes
write raw = yes

General Recommendations#

10. Audit Logging#

vfs_full_audit#

Provides detailed logging of file operations for compliance and security monitoring.

[audited-share]
path = /srv/samba/audited
vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = connect disconnect mkdir rmdir open rename unlink write
full_audit:failure = connect open rename unlink write
full_audit:facility = local5
full_audit:priority = notice

The prefix format tokens:

Configuring Syslog#

# /etc/rsyslog.d/samba-audit.conf
local5.notice  /var/log/samba/audit.log

sudo systemctl restart rsyslog

Simple Logging#

For basic access logging without the full audit module:

# /etc/samba/smb.conf [global]
log file = /var/log/samba/log.%m
max log size = 10000
log level = 1

11. Client Configuration#

Linux CIFS Mount#

# Install the CIFS client utilities
sudo apt install -y cifs-utils

# Mount a share
sudo mount -t cifs //server/shared /mnt/share \
  -o username=<user>,password=<password>,vers=3.1.1

Using a Credentials File#

# /root/.smbcredentials (chmod 600)
username=<user>
password=<password>
domain=WORKGROUP

sudo mount -t cifs //server/shared /mnt/share \
  -o credentials=/root/.smbcredentials,vers=3.1.1

Persistent Mount via fstab#

//server/shared  /mnt/share  cifs  credentials=/root/.smbcredentials,vers=3.1.1,_netdev,uid=1000,gid=1000  0 0

Automount with systemd#

# /etc/systemd/system/mnt-share.mount
[Unit]
Description=SMB Share Mount
After=network-online.target
Wants=network-online.target

[Mount]
What=//server/shared
Where=/mnt/share
Type=cifs
Options=credentials=/root/.smbcredentials,vers=3.1.1,_netdev

[Install]
WantedBy=multi-user.target

smbclient#

# Browse shares on a server
smbclient -L //server -U <user>

# Interactive session
smbclient //server/shared -U <user>

12. Windows Interoperability#

Setting Up SMB on Windows#

1. Open Control Panel and navigate to Network and Sharing Center
2. Click Change advanced sharing settings
3. Enable Network Discovery and File and Printer Sharing
4. Right-click the folder to share, select Properties, then the Sharing tab
5. Click Advanced Sharing, check Share this folder, and configure permissions

Connecting to a Linux SMB Share from Windows#

\\server\shared

Enter the Samba username and password when prompted.

Permissions Model#

SMB uses a dual-layer permissions model:

1. Share permissions - defined in smb.conf (read only, write list, valid users)
2. Filesystem permissions - standard UNIX permissions or POSIX/NFSv4 ACLs

The most restrictive permission applies. For Windows-compatible ACLs, use:

[global]
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

13. Troubleshooting#

See Also#

• NFS
• GlusterFS

Sources#

• Samba Documentation
• man smb.conf(5)
• Samba Wiki - Setting up Samba as an AD DC
• Samba VFS Modules
• MS-SMB2 Protocol Specification