As Samba is such a huge concept and will have so many entries, ranging from PDCs with DomainLogons, to LDAP integration, SSL, and error diagnostics, not to mention differences between each version of Samba currently available - 2.2, 3.0alpha, and samba-tng, we'll use this is a main page and link to other pages whenever they get enough content or are conceptually large enough to support a new page.

I'll start off by adding a SambaErrorMessages wiki, although other notes should probably appear in this page for now.

Samba related concepts

Firewalling SMB/CIFS

If you wish to firewall out all smb/cifs traffic (from either samba or windows pc's) you will need to firewall the following ports:

    UDP/137    - used by nmbd
    UDP/138    - used by nmbd
    TCP/139    - used by smbd
    TCP/445    - used by smbd

The last one is important as many older firewall setups may not be aware of it, given that this port was only added to the protocol in recent years.

For more information on the use of port 445, go to

Allowing an entire group to access a samba share.

Under the appropriate share in /etc/samba/smb.conf do:

  • valid users = @<group>

Samba Strangeness (or "How do I fix this?")

Printing jobs from windows clients leaves a "ghost" job in the queue.

This is not actually a problem with samba, but rather a way in which lpd and the windows spooler communicate. In newer lpd versions, there is a parameter (done_jobs) which is set to 1 by default - it stores old completed jobs for "reference". Unfortunately, windows retains these jobs in the spooler. This is not usually desirable behaviour. Set "done_jobs=0" in lpd.conf and restart lpd.

Unable to login to samba - logs show "nobody" being auth'd instead of user.

This is probably a symptom of having usernames with mixed case. If this is so, you need to modify the [global] section of smb.conf with the parameter username level = 3.

You may need more, depending on your pattern of usernames. This parameter tells samba to try at least $username_level initial caps in the supplied name. For example, I had a site where the username pattern matched Y[0-2]name. In this case, I needed to set username level to 1, to catch the initial uppercase character. Needless to say this would not be necessary if Windows clients would behave and send the username exactly as provided...

Rules to Remember Regarding Permissions.

For a user in group 'leech' for example, if he wants to access a samba share, then to browse and access files, all parent directories must have their group permissions set as read and execute and either him or one of the groups he is in should own them. If not, then a samba client will not be able to access the share.

Read permission ("r") means that you can list the directory- for example, use "ls" on it. But that's all it means. If you only have read permission on a directory you can't cd to that directory, you can't copy files to that directory etc.

You need execute permission ("x") if you want to read files in that directory, copy it elsewhere, or delete it.

If the group permissions are set to execute only, then the user will not be be able to browse the share but they will be able to directly access files. ie : supply a full path.

Print Queue in Windows 2000/XP shows "Access denied, unable to connect".

This drove me insane. I now have the answer:

1. Edit smb.conf. Ensure you add in the global section use client driver = yes.

2. On the printers share definition, ensure the following rights are granted:

   printer = raw
   browseable = yes
   public = yes
   guest ok = yes
   writable = yes
   printable = yes

3. Restart Samba.

Storing profiles on a Samba 2.2.x server fails after applying either Win XP SP1 or Win 2k SP4 on the client

Microsoft changed things and it broke samba versions older than 2.2.6. 2.2.6 added a new config option (profile acls (S)) to allow a work around for this. Check the smb.conf man page from version 2.2.6 or higher.

Debian woody only ships version 2.2.3a with back-ported patches for security updates so needs to be updated for this to work. Use Debian backported 2.2.9 packages. Add deb stable main to your apt sources.list.

Offline files fails

If you have a file share with multiple users using it regularly, and one of the users tries to synchronize the files using Windows's "Offline Files" feature, you might find that random files fail. The user will have read/write access through their group, but the file will be owned by someone else.

Why this is happening

From Jeremy Allison, Samba developer: "Windows does a sync by creating a new file with a temporary name, then sets an ACL on it that matches the current one (but seems to add write access for the current user, not just the owner). This must succeed else the sync will fail. Then it sets the DOS attributes, again this must succeed or the sync will fail. Under POSIX we encode the attributes in the file permissions and these can only be changed by the owner, unless the "dos filemode" parameter is set."

How to fix it

Upgrade to at least Samba 3.0.0. Ensure that smbd is compiled with ACL support (the Debian packages work fine out of the box), and running on a filesystem with POSIX AccessControlLists. Then you also need to set the parameter "dos filemode = yes" for the share. You don't need the acl package installed, but you probably need libacl.

File copies fail with "smb_proc_readX_data: offset is larger than SMB_READX_MAX_PAD or negative!"

When coping a file from a windows server's share that is locally mounted with smbmount the copy fails with an I/O error and the following is in syslog:

smb_proc_readX_data: offset is larger than SMB_READX_MAX_PAD or negative!
smb_proc_readX_data: -59 > 64 || -59 < 0

This only seems to happen with the kernel-image-2.6.8 package in Debian Sarge. The error doesn't occur if you:

  • use smbclient interactively;
  • mount the remote share as type cifs instead of type smbfs; or
  • use a vanilla kernel or a backport of a later kernel that is packaged for debian.

There is a debian bug report on this.

wbinfo -t fails with "error code was NT_STATUS_PIPE_NOT_AVAILABLE (0xc00000ac)"
wbinfo -r fails with "could not get groups for user <domain\username>"

Set client schannel = no in your smb.conf.

Getting Microsoft Vista and Samba to work together.