Install Samba


I'm using Manjaro on my desktop. And I want to create a read-only file share to share files with my iPad. I will be logging in as a guest. Here, I install and configure Samba. And I include configuration parameters that make the share compatible with my iPad.


I already created a directory for my file share at /data/fileshare. And I placed a test file in there: weird_fishes.txt


Install


Install Samba Package


sudo pacman -S samba

Write smb.conf


Installing Samba does not include a default configuration file. Here is an example file for my share which is compatible with Apple devices.


sudo pwsh -c "New-Item -Path '/etc/samba/smb.conf' -ItemType File -Force"
sudo vim /etc/samba/smb.conf

File Name:


/etc/samba/smb.conf


File Contents:


[global]
   server role = standalone server
   log file = /var/log/samba/%m.log
   map to guest = Bad User
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
   show add printer wizard = no
   vfs objects = fruit streams_xattr
   #log level = 3 

[fileshare]
   path = /data/fileshare
   public = yes


Run the testparm command after writing the configuration file to validate the smb.conf syntax.


# basic
testparm -s

# verbose
# Press Enter to load Vim after testparm runs. 
testparm -v | vim +"set nomodified" - 

Start Samba


Enable and start Samba.


sudo systemctl enable --now smb.service

Confirm Directory Permissions


You can check the current permissions of the file share and its parents with namei.


If you save the namei output to a file, you can revert any permission changes you make in the next step or later. There won't be a way to undo changes made with chmod without this information.


namei -l /data/fileshare

# Save namei output to a file. 
namei -l /data/fileshare >> /home/michael/Desktop/namei_output.txt

The guest user (nobody) should have read and execute permissions on the shared folder and execute permission on all parent directories. To accomplish this, you will need to modify the 'other' permissions for each directory. I am not aware of an easy way to do this work in one step. The best way is making changes to individual directories with chmod.


The example below adds the execute permission for 'other' to the /data directory. The execute permission allows Samba to traverse this directory to any child directories: like "fileshare".


chmod o+x /data

Configuring AppArmor


In my case, I also need to configure AppArmor because I'm using Ubuntu Snaps (packages) on my system. AppArmor is a prerequisite for the snapd daemon.


Since I am using a custom share directory--/data/fileshare--I need to tell AppArmor about it. By adding exceptions to my AppArmor policy, the Samba service will be able to access the file share on behalf of connected clients.



sudo vim /etc/apparmor.d/local/usr.sbin.smbd



The contents of my usr.sbin.smbd file are below.


The first exception gives Samba read access to the root of the share.


The second exception gives Samba permission to make changes to subfolders and files.


Remember, these changes fix any problems caused by AppArmor. But Samba will still respect the directory permissions mentioned earlier. So, in AppArmor, it's ok to allow read, write, and other types of necessary permissions. If you want to decode the the AppArmor exceptions shown below, see the File Permissions link at the end of this article.


In both exceptions, I've used the path to my share directory: "/data/fileshare/" You will have to modify the paths in this configuration file to match your share path if it's different than mine.


File Name:


/etc/apparmor.d/local/usr.sbin.smbd


File Contents:


# Site-specific additions and overrides for 'usr.sbin.smbd'
"/data/fileshare/" rk,
"/data/fileshare/**" lrwk,




sudo systemctl restart apparmor



Verify Guest Access


Try to access the file share with the smbclient terminal application. At the smb: \> prompt, try using ls to list the files available on the share.


In this example, we can see the weird_fishes.txt file is listed.


smbclient -N //localhost/fileshare

Try "help" to get a list of possible commands.

smb: \> ls
  .                                   D        0  Mon May  2 07:42:32 2022
  ..                                  D        0  Sun May  1 07:21:15 2022
  weird_fishes.txt                    N      691  Sun May  1 11:32:31 2022

		479597248 blocks of size 1024. 440488612 blocks available
smb: \> exit


After verifying guest access, the file share should be working for you.


Test iPad


Try connecting to the share with the iPad.



smb://edward/fileshare


Where "smb://" is the protocol and is the same for everyone. "edward" is the network name of my computer; change this to match your server's network name. And, "fileshare" is the share folder.



From here, I can browse and open files on the share.


If you want to return to the shared folder within the Files app, the file share will be listed under the Shared heading with the server name. On my Files app, I see Shared and then edward. The eject button next to the server name lets you explicitly disconnect from the server.


Troubleshooting


iPad Error Messages


During testing, I received two error messages from the iPad.


The operation couldn't be completed. Operation not supported.


Content Unavailable The folder contents could not be displayed because of an unknown error.


Make sure that you are not using the "hosts allow" parameter in smb.conf. I noticed that the iPad was communicating with the server via IPv6. That makes it difficult to create a reliable list of allowed hosts. So, I don't use "hosts allow". The "interfaces" smb.conf parameter might also cause problems.


Problems After Updating to Manjaro 21.3.7


I had trouble connecting to my file share after updating to Manjaro 21.3.7 This version was released in August 2022.


To fix the issue, I needed to add two exceptions to AppArmor. I installed AppArmor as a prerequisite for Ubuntu Snaps. I use snaps elsewhere on my system. And snaps were installed while Samba was working. But, some part of the default security policy changed while upgrading Manjaro. So, versions of Manjaro 21.3.7 and later require the exceptions to be added if you're using AppArmor.


See the section above on Configuring AppArmor for instructions.


While I was having this issue, the Samba log showed this error:


File Name:


log.samba-dcerpcd


File Contents:


[2023/03/20 16:00:37,  0] ../../source3/rpc_server/rpc_host.c:2940(main)
  main: messaging_init() failed


Administration


Check Samba Logs


Note that journalctl will not show the full log. Go to /var/log/samba and read the logs directly.


List the modified logs.


Get-ChildItem -Path "/var/log/samba" | 
  Where-Object { $_.LastWriteTime -ge ((Get-Date).AddMinutes(-20))} | 
  Sort-Object -Property LastWriteTime -Descending | 
  Format-Table -AutoSize

   Directory: /var/log/samba

UnixMode   User Group  LastWriteTime   Size Name
--------   ---- -----  -------------   ---- ----
-rw-r--r-- root root  5/3/2022 21:20   4476 log.smbd
-rw-r--r-- root root  5/3/2022 21:20   7592 log.samba-dcerpcd
-rw-r--r-- root root  5/3/2022 21:20    744 log.rpcd_lsad
-rw-r--r-- root root  5/3/2022 21:20    744 log.rpcd_mdssvc
-rw-r--r-- root root  5/3/2022 21:20    744 log.rpcd_rpcecho
-rw-r--r-- root root  5/3/2022 21:20    744 log.rpcd_epmapper
-rw-r--r-- root root  5/3/2022 21:20    744 log.rpcd_fsrvp
-rw-r--r-- root root  5/3/2022 21:20    744 log.rpcd_spoolss
-rw-r--r-- root root  5/3/2022 21:20  14068 log.rpcd_winreg
-rw-r--r-- root root  5/3/2022 21:20  24704 log.rpcd_classic
-rw-r--r-- root root  5/3/2022 21:20 278637 smbd.log
-rw-r--r-- root root  5/3/2022 21:20  46072 2600_1700_1e80_7880_bc92_a917_e0f1_
                                            2fe3.log
-rw-r--r-- root root  5/3/2022 21:20 154076 mobile.log


Read the log file.


vim -R /var/log/samba/smbd.log

...
[2022/05/03 21:20:13.032298,  0] ../../source3/smbd/server.c:1741(main)
  smbd version 4.16.0 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2022/05/03 21:20:13.032359,  2] ../../source3/smbd/server.c:1744(main)
  uid=0 gid=0 euid=0 egid=0
[2022/05/03 21:20:13.032596,  2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
  Registered MSG_REQ_POOL_USAGE
[2022/05/03 21:20:13.032609,  2] ../../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
...


Increase Log Level


Change the log level by adding a parmeter to smb.conf and restarting the smb service. This will show additional information.


Remember to disable the higher log level after you are finished troubleshooting. You can comment out the parameter with '#'. Then restart the service again.


File Name:


/etc/samba/smb.conf


File Contents:


Add log level under [global].


[global]
   log level = 3

Manage Samba


You can manage the Samba service with the commands below.


systemctl status smb.service | vim +"set nowrap" +"set nomodified" -
sudo systemctl start smb.service
sudo systemctl stop smb.service
sudo systemctl restart smb.service

Making Changes to smb.conf


Here are the steps for changing the smb.conf file.


sudo vim /etc/samba/smb.conf
testparm -s
sudo systemctl restart smb.service

Change the systemd unit File for Samba


Here is the location of the systemd configuration for Samba. For example, you can add smbd command-line options to the "ExecStart=" line available in the file. See the smbd manual page linked below for available options.


# edit file
# Use '#' for comments inside the file. 
sudo vim /usr/lib/systemd/system/smb.service

# Reload systemd manager configuration
sudo systemctl daemon-reload

# restart unit
sudo systemctl restart smb.service

Uninstall


You can reverse the changes made here and uninstall Samba with these commands.


This leaves the file share directory and contents intact. This does not undo or change any local permissions to the file share directory which might have changed by using chmod. If you saved the namei output before making changes, you can use that information to manually reset permissions for each directory.


I also reset the AppArmor exceptions file back to its default. This only affects Samba.


sudo systemctl stop smb.service
sudo systemctl disable smb.service
sudo rm /etc/samba/smb.conf
"# Site-specific additions and overrides for 'usr.sbin.smbd'" > /etc/apparmor.d/local/usr.sbin.smbd
sudo systemctl restart apparmor
sudo pacman -Rs samba 

Note on Vim


If you pipe stdin to Vim, the resulting buffer or file will be marked as modified. And you will be prompted to save the buffer before exiting Vim. Often this text is not needed. And it would be helpful to exit Vim without habitually typing :q! The problem is that if you accidentally type :q! in another context, you can lose all your work.


You can add a line to vimrc so that you can exit with :q after reading from stdin. This saves you from typing +"set nomodified" at the command line.


" Don't set 'modified' when reading from stdin
au StdinReadPost * set nomodified

References


Samba | ArchWiki

Sample smb.conf

smb.conf | Arch Manual Pages

vfs_fruit Manual Page (Apple compatibility parameters)

Explanation of chmod Symbolic Modes

umask | Wikipedia

File Permissions | AppArmor GitLab

systemd.service | Arch Manual Pages

smbd | Arch Manual Pages

stdin Configuration Option | starting.txt | Vim Online Help



Changes



Created: Monday, May 2, 2022

Updated: Thursday, March 23, 2023




/gemlog/