System Administration Tips & Tricks

Stuff that doesn't seem to be written elsewhere. Food for Google.

Samba & Linux CIFS

Problem: Can't set file permissions higher than 744  or directory permissions higher than 755 when using the Linux CIFS client connected to a Samba 3.x server.

Solution: By default, Samba controls what permissions can be set on files and directories on share by bitwise ORing the permissions with the with the bitwise AND of two masks.  For files, these are the create mask and the security mask.  The create mask sounds like applies only to files that  are newly created, but this is not so:  it applies to all files whose permissions do not have those bits set.  For directories, these are the directory mask and the directory security mask.  The important thing to know is that whatever bits are not set in either of the two masks won't be allowed to be set for files or directories located on that share.  If not specified in smb.conf, the create mask is set to 0744 and the directory mask is set to 0755 (the other two masks default to 0777, so you can leave those alone).  So, to fix this problem, just change both of these masks to 0777 by adding the following two lines to your smb.conf, either in the [global] section for all shares or underneath the share section for just that share, depending on what you want:

directory mask = 0777
security mask = 0777

Problem:  Can't set initial user or machine account password with smbpasswd with SAM stored in LDAP.

Solution:  There could be a number of things wrong, but the most common is that are missing required attributes on the acount's LDAP object.  Make sure your account's LDAP object has all of the following fields:

Samba Attributes (sambaSamAccount):

  • sambaAcctFlags
  • sambaLMPassword
  • sambaNTPassword
  • sambaPwdCanChange
  • sambaPwdLastSet
  • sambaPwdMustChange
  • sambaSID

POSIX Account Attributes (posixAccount):

  • uid
  • uidNumber
  • gidNumber
  • homeDirectory

Problem:  I've set my domain name,, and set my Samba 2.x or 3.x PDC to be the domain master, but browsing seems to be broken.

Solution: NETBIOS domain names can only be 15 characters in length and can only include alphanumerics and the period.  Change the domain name to something no longer than 15 characters.