User administration

How to create users

In general each samba user needs a corresponding UNIX/Linux account, which means before adding a Samba user, the appropriate UNIX/Linux user must be created first.

Create users under Unix/Linux

useradd -c 'Samba User' -s '/bin/false' User

Create users in /smbpasswd

smbpasswd -a User

How to delete users

Delete users from smbpasswd

smbpasswd -x User

Delete users under UNIX

userdel User

User administration with the GUI

You then will find the newly created users in the GUI, the user "samba" is present, because it exists as well as the samba guest account by default.

If you use samba in the PDC mode (Beta!) you will find another field, which shows if its a user or a Client account. The GUI offers a menu option to add Client accounts.

Username: The name of the user always type the letters in lowercase -> UNIX conform

Password: Shows if a password is set

Status: Indicates wether the user is active or inactive in smbpasswd

Use the options to:

description
activate the user,
deactivate the user,
change the users password,
delete the user or
set a new user.

Add new users with the GUI

Enter the user name (please pay attention to the lowercase) and password. By default there are 2 Samba groups on the IPFire (the sambausers and sambawks) and the UNIX login Shell is set to/bin/false. The Unix group as well as the UNIX Shell should not be modified, so it wont be possible for the user to use a SSH (or equivalent) connection to log into the IPFire. The samba user remains untouched by this feature.


Create a Samba share

With the webinterface is it possible to modify, create or delete individual shares. The information is stored in the file /var/ipfire/samba/shares and will be assembled in the samba.conf with the following options:

If you use CUPS, a further section is inserted automatically, with which its possible to share printers over the network. The information will be stored in the file /var/ipfire/samba/printers/ and added to the smb.conf.

If you create a new share, you will find a text field to enter more options. Please be aware to always write the name of the share in the first line in this form [name].

The GUI will then detect it as a share. It is possible to add a small summary, if some options are not common or need an explanation. If you have enabled Java script, a Pop Up will follow, otherwise another window will be opened.

Use the same window to delete or modify Shares.

Note! In this text field is it possible to enter more than one share. Add them in a row, as if you would write them into smb.conf.

Before testing, make sure the path exists on your ipfire server, e.g.
mkdir /var/ipfire/samba/share1


Global Samba Options

Under samba global options, feel free to enter almost any options which are available in the global area in the smb.conf.

We tried to build up individual option groups for your readability.

Global default adjustments for the shares are not shown (coz we didnt want it ;-) ) - NO, no neccesary setting are to be made here.

Basic options

In the basic options adjust the name of the Windows Workgroup, the Netbios WINS name of the Samba server as well as the server string, which is served under Windows as a type description field. With the log level you can adjust the verbose mode of the individual daemons. With Samba 3 it is possible to operate the individual deamons in different levels. A higher log level means more information - and more system load. If you see problems with Samba, you may get useful information by increasing the debuglevel. The individual Logs can be directly be viewed over the GUI. In the smb.conf the Bind interface "only" is set to "true", so that samba does not listen by default on all interfaces a little more security), but it still exists a possibility to permit individual interfaces over the radio button or edit them directly via the input field "IP´s / networks / interfaces".

By default Samba is active only on the green interface .

Security options

Here you can adjust the Security mode. It is advisable to use the "share mode" for an all access file server and the "user mode" for a file server with authentication. Find more under Samba general.

Again: it is possible to operate in "share mode" with authentication. You also can adjust the "map to Guest" behavior; the behaviour of Samba, if unknown users wants to log-on. With the option "Never" they will be rejected and no access takes place.

With "bad user" all users typing a false password will be rejected and the access will be granted to all unknown users as guest.

With "map to Guest", "bad user" and "security level" users can be created on a samba server to enable access to shares without username/password or shares with user authentication.

The mode "bad password" redirects all users with a wrongly typed password directly to the guest account. This may be dangerous, because a user may find him/herself in a strange situation without knowing why (Why the hell am i here? ;-) - yesterday it looked absolutely different), but no user will meet his/her admin and say: I entered a wrong password, because Samba gives no appropriate acknowledgement here and the password query is exactly the same as with a correct password, only the access rights are different.

Network options

Over the OS level you can determine, whether samba is the master for WINS in a network. This may be less important in a home network, but this option may be relevant, if you operate 2-3 servers. Over the Socket option you can control the behaviour of samba during the network transfer. Some default options are already inserted. If you find problems with the performance with the samba server, you may delete these options and samba will still operate. With the option "remote Announce" is it possible to transmit WINS information over the normal broadcast domain boundaries . If you for example run several “servers/subnets” , these can announce the WINS names into other (sub-)networks. With the option WINS support you can control whether samba should act as WINS server or not, by default it is activated; if you deactivate this option, you may enter other WINS server.

Note! If you have Windows10 clients it is important to enable the SMB2 protocol.


Samba status

Here you will find the output of "smbstatus", which is more or less an 1:1 output of an OS command. You will find the connected users and their open shares. If you didnt start Samba before or no user is connected with the freshly created samba, an error message will appear here. With this option you easily will find an overview of the connections to samba and see who opened what files and if files may get “processed/closed”.

Samba Protocol

Find all Samba Logs here, check errors, or simply inform yourself who, when and how accessed the Samba server. With the dropdown menu select the appropriate log and read x lines of the chosen Log in the GUI.

Remember: With the parameter Log Level in the global smb.conf you can adjust what (and how much) should be logged.

Testing your configuration

On your client, install the packages

apt install smbclient cifs-utils

Get an overview over your shares for user samba with

smbclient -U samba -L ipfire.localdomain

and mount them by typing on your client

mount -t cifs -o username=samba,uid=username_on_client //ipfire.localdomain/Share /mnt/mountpoint_on_client

By this, you log in to the server ipfire.localdomain with the username samba, and access the Server's share Share. If the server does not provide ownership information of the files, the client computer allows its user username_on_client to own them.
See also the man page of mount.cifs