Samba and UFW

Earlier today, I found myself frustrated because I could not see my Samba shares when browsing my network in Nautilus. It turned out to be a firewall issue.

From The Official Samba 3.2.x HOWTO and Reference Guide:

Many people use a firewall to deny access to services they do not want exposed outside their network. This can be a good idea, although I recommend using it in conjunction with the above methods so you are protected even if your firewall is not active for some reason.

If you are setting up a firewall, you need to know what TCP and UDP ports to allow and block. Samba uses the following:

Port 135/TCP - used by smbd
Port 137/UDP - used by nmbd
Port 138/UDP - used by nmbd
Port 139/TCP - used by smbd
Port 445/TCP - used by smbd

The last one is important because many older firewall setups may not be aware of it, given that this port was only added to the protocol in recent years.

When configuring a firewall, the high order ports (1024-65535) are often used for outgoing connections and therefore should be permitted through the firewall. It is prudent to block incoming packets on the high order ports except for established connections.

In order to open these ports, you must run the following commands:

sudo ufw allow proto tcp to any port 135 from 192.168.1.0/24
sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24

Of course, you should replace 192.168.1.0/24 with the appropriate IP/CIDR subnet for your network.

Generally speaking, I find it useful to add rules by service whenever possible. For example, if I want to open up ports for AOL/AIM, I can add this rule:

sudo ufw allow aol

The syntax is much less verbose and thus easier to remember. You can see a list of all service names by doing

less /etc/services

Not everything will be listed, but most common services are.

Samba Server

A few weeks ago, I decided I would make my Linux box the file server for my network. Since shared files and folders must be accessible from Windows and Mac machines, Samba seemed like the best cross-platform solution.

The installation turned out to be a relatively painless process. Here's how I did it on Ubuntu Dapper.

First we need to install a couple of packages:

sudo apt-get install samba smbfs

I'm not positive that smbfs is required for the Samba server, but most guides recommend it. So I'll follow their lead.

A vanilla install of Ubuntu should be properly configured for Samba, so there's not much else to do besides add to the list of Samba users. In the second line, you may replace sudo with gksudo if you prefer one of the GTK editors, like gedit. There may be an analogous command for KDE apps, but I rarely run them as superuser, so I wouldn't know.

sudo smbpasswd -a system_username
sudo vi /etc/samba/smbusers

where system_username is the user you wish to add as a Samba user. You will be prompted to create a password. This is the password the user will use to connect to Samba shares.

We must add the following line to /etc/samba/smbusers:

system_username = "network username"

Note you may make the network username different from the system username. There are a variety of reasons you might do this. For example, the user may have a different name on the machine from which he will connect to the Samba shares. You might alternately designate a unique username as a security measure.

To set up your Samba shares, you must either edit /etc/samba/smb.conf by hand or install SWAT, which supposedly does the dirty work for you. Either way, the lines you add to the file should look something like this:

[music]
  path = /windows/Music
  browseable = yes
  writeable = yes
  valid users = jlz27
  admin users = jlz27

I'm typing this from my PowerBook, running Mac OS X 10.4.10, while connected to one of the Samba shares. So it definitely works.

Thanks, Jörg Höhle!

Count on a guy with umlauts in his name to find a fix for the problem with displaying special characters in filenames, mentioned in my previous entry on Samba. Here's the bug report he submitted:

Hi,
The Gnome desktop network mounter, the smbclient and a native MS-Windows-2k manage to display Umlaute in filenames from a Linux Samba server just fine.
Using smbmount however, an ls command merely displays "?" in lieu of the Umlauts in concerned filenames.

Trying out many combinations of iocharset and codepage options I finally got Umlaute to display fine as follows:
mount -t smbfs -o username=xyz,uid=hoehle,gid=hoehle,file_mode=0640,codepage=cp437,
iocharset=utf8 //10.0.0.79/hoehle /mnt/samba
which seems equivalent to:
smbmount //10.0.0.79/hoehle /mnt/samba -o username=xyz,uid=hoehle,gid=hoehle,file_mode=0640,codepage=cp437,
iocharset=utf8

codepage=utf8,iocharset=utf8 produces :x84 :x9a for some umlauts in ls output.
codepage=iso8859-1 produces :0084 :009a instead.
codepage=cp437, utf16 or utf-16 produce "?" instead.

codepage=cp852,iocharset=utf8 finally works.
codepage=cp437,iocharset=utf8 also works.
Note that the iocharset option must be given as well.

man mount on fat says: "By default, codepage 437 is used."
For consistency, I'd expect similar defaults with smbfs.
Similarly, I'm quite surprised that iocharset=utf8 is needed. I'd thought most Linux software did the transition to UTF-8 these days (since Hoary, Warty was not fully there).

smbfs should be as easy to use and provide similar defaults as all of smbclient, the Gnome desktop and MS-Windows do.

Affects: Dapper with http://wiki.ubuntu.com/LaptopTestingTeam/
FujitsuLifebookC1110

Regards,
Jörg Höhle

In case you didn't read the whole report, I'll sum it up. If you mount your share with the options codepage=cp437,iocharset=utf8, for example, special characters like the umlaut will display correctly.

I used codepage 437 because it's the default for FAT and VFAT filesystems. I haven't tested it with codepage 852 nor do I plan to do so.

If you have success with another codepage option, I invite you to post your experience here so other readers may benefit from your efforts.

Só Danço Samba

I ought to mention that I've successfully mounted Windows shares using the following form:

sudo mount -t smbfs //HOSTNAME/SHARENAME /MOUNTPOINT

That's the Server Message Block (SMB) file system, which is what modern Windows OSes use to share files and printers. So if you wanted to mount a share called "Music," located on a server with IP address 192.168.1.100, to local directory /media/Music, you would enter

sudo mount -t smbfs //192.168.1.100/Music /media/Music

and then you'll be able to access the files as though they were stored locally. Don't expect playback of high-quality video files to go smoothly, though. It's like streaming without a buffer, so you'll probably drop a lot of frames. For almost anything else, it's great.

Mac OS X can mount shares from the Finder GUI. Go → Connect to Server… or the ⌘K shortcut opens a window that will let you specify a server address. You can also bookmark frequently used servers. To connect to the server from our previous example, you would type smb://192.168.1.100 and click Connect. In my experience, you can also use the computer name. My Windows file server is named "cryptkeeper," so I connect using smb://cryptkeeper, which defaults to the guest account. If you want to specify a user account for login, use smb://USERNAME@HOSTNAME instead.

(Note that you must create the local directory before mounting the share. The mount command won't create it automatically.)

I still need to play around with the mount options, since Ubuntu doesn't seem to recognize the accented letters in certain filenames, e.g., Hüsker Dü, Múm, Röyksopp. Maybe it would help to mount the share with a different character set; UTF-8 springs to mind. I'll probably have to use smbmount if I want to do that, though. I seem to remember reading that mount doesn't actually know anything about smbfs. If I find more info on this, it will be posted here.