As Samba is such a huge concept and will have so many entries, ranging from PDCs with DomainLogons, to LDAP integration, SSL, and error diagnostics, not to mention differences between each version of Samba currently available - 2.2, 3.0alpha, and samba-tng, we'll use this is a main page and link to other pages whenever they get enough content or are conceptually large enough to support a new page.
I'll start off by adding a SambaErrorMessages wiki, although other notes should probably appear in this page for now.
If you wish to firewall out all smb/cifs traffic (from either samba or windows pc's) you will need to firewall the following ports:
UDP/137 - used by nmbd UDP/138 - used by nmbd TCP/139 - used by smbd TCP/445 - used by smbd
The last one is important as many older firewall setups may not be aware of it, given that this port was only added to the protocol in recent years.
For more information on the use of port 445, go to http://www.petri.co.il/what_is_port_445_in_w2kxp.htm
This is not actually a problem with samba, but rather a way in which lpd and the windows spooler communicate. In newer lpd versions, there is a parameter (done_jobs) which is set to 1 by default - it stores old completed jobs for "reference". Unfortunately, windows retains these jobs in the spooler. This is not usually desirable behaviour. Set "done_jobs=0" in lpd.conf and restart lpd.
This is probably a symptom of having usernames with mixed case. If this is so, you need to modify the [global] section of smb.conf with the parameter username level = 3.
You may need more, depending on your pattern of usernames. This parameter tells samba to try at least $username_level initial caps in the supplied name. For example, I had a site where the username pattern matched Y[0-2]name. In this case, I needed to set username level to 1, to catch the initial uppercase character. Needless to say this would not be necessary if Windows clients would behave and send the username exactly as provided...
For a user in group 'leech' for example, if he wants to access a samba share, then to browse and access files, all parent directories must have their group permissions set as read and execute and either him or one of the groups he is in should own them. If not, then a samba client will not be able to access the share.
Read permission ("r") means that you can list the directory- for example, use "ls" on it. But that's all it means. If you only have read permission on a directory you can't cd to that directory, you can't copy files to that directory etc.
You need execute permission ("x") if you want to read files in that directory, copy it elsewhere, or delete it.
If the group permissions are set to execute only, then the user will not be be able to browse the share but they will be able to directly access files. ie : supply a full path.
This drove me insane. I now have the answer:
1. Edit smb.conf. Ensure you add in the global section use client driver = yes.
printer = raw browseable = yes public = yes guest ok = yes writable = yes printable = yes
3. Restart Samba.
Microsoft changed things and it broke samba versions older than 2.2.6. 2.2.6 added a new config option (profile acls (S)) to allow a work around for this. Check the smb.conf man page from version 2.2.6 or higher.
Debian woody only ships version 2.2.3a with back-ported patches for security updates so needs to be updated for this to work. Use Debian backported 2.2.9 packages. Add deb http://people.debian.org/peloy/samba stable main to your apt sources.list.
If you have a file share with multiple users using it regularly, and one of the users tries to synchronize the files using Windows's "Offline Files" feature, you might find that random files fail. The user will have read/write access through their group, but the file will be owned by someone else.
From Jeremy Allison, Samba developer: "Windows does a sync by creating a new file with a temporary name, then sets an ACL on it that matches the current one (but seems to add write access for the current user, not just the owner). This must succeed else the sync will fail. Then it sets the DOS attributes, again this must succeed or the sync will fail. Under POSIX we encode the attributes in the file permissions and these can only be changed by the owner, unless the "dos filemode" parameter is set."
Upgrade to at least Samba 3.0.0. Ensure that smbd is compiled with ACL support (the Debian packages work fine out of the box), and running on a filesystem with POSIX AccessControlLists. Then you also need to set the parameter "dos filemode = yes" for the share. You don't need the acl package installed, but you probably need libacl.
smb_proc_readX_data: offset is larger than SMB_READX_MAX_PAD or negative! smb_proc_readX_data: -59 > 64 || -59 < 0
There is a debian bug report on this.
Set client schannel = no in your smb.conf.