Samba configuration: the ultimate cargo cult

Posted on by

Samba is a magical tool that allows *nix and Windows machines to coexist in some forms of peace. It’s particularly helpful when you want to share files across platforms. I’ve maintained Samba servers at work and at home for nearly a decade now and I don’t pretend to understand it.

Over the years, I’ve come to view Samba as the poster child for cargo cult system administration. I suspect most people Google for their problem and apply whatever magic totem fixes it, without really understanding what’s actually going on. They share this knowledge and perpetuate the magical configuration. Allow me to do the same.

For one of the applications we support at my current job, our normal cluster configuration is a Linux file server with Windows execute nodes. The server provides anonymous read/write access to the execute nodes and forces the user server-side. (It’s a closed environment, so this is just a lot simpler.) During a recent project, we were doing a customer’s first foray into the cloud. We started from a configuration that we used for another customer running the same application. Oh, but this customer uses RHEL 6 servers, so we switched the setup from the RHEL 5 images we had been using.

Crap. That broke it. For some reason, the clients couldn’t write to the file server. After a late night of frantic effort (this was a project with a short timeline), we found we needed to add the following lines:

guest account = rap
map to guest
valid users = rap, @rap
force group = rap
guest ok = yes

That seemed to solve the problem. Apparently there were some changes between the versions of Samba in RHEL 5 and 6. But then we discovered that hosts would start to write and then become unable to access the share. So we added the following:

writeable = yes
guest only = yes
acl check permissions = False

Oh, but then it turns out that sharing a directory over both Samba and NFS can cause weird timestamp issues. After some experimentation, we found it was necessary to stop using oplocks:

kernel oplocks = no
oplocks = no
level2 oplocks = no

So here’s our final, working config. Cargo cult away!

[global]
workgroup = WORKGROUP
netbios name = Samba
encrypt passwords = yes
security = share
log level = 2
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
kernel oplocks = no
oplocks = no
level2 oplocks = no
max xmit = 65535
dead time = 15
getwd cache = yes
printcap name = /etc/printcap
use sendfile = yes
guest account = rap
map to guest = Bad User

[rap]
comment = File Share
path=/vol/smb/rap
force user = rap
valid users = rap, @rap
force group = rap
read only = no
writeable = yes
browseable = yes
public = yes
guest ok = yes
guest only = yes
acl check permissions = False

Leave a Reply

Your email address will not be published. Required fields are marked *