Friday, July 15, 2011

Samba file server on DD-WRT

It's not easy to configure Samba in standard DD-WRT because, by default, the /etc folder is read-only. So before starting, please set a writable /etc. Also, DD-WRT does have a Samba3 built in the firmware and it works just fine, you're just not able to configure it fully. In this guide, you'll be guided through the whole process to set up a password protected samba share with custom usernames and passwords.

  1. Check if there is a Samba server built in
    Log in to the router, then run
    smbd --version

    Output should be:
    Version 3.0.24

    This means the firmware already has Samba 3.0.24 included.
    If the Samba server is missing, install it by running:
    opkg install samba3

  2. Add dedicated users for Samba
    For security reasons, I strongly suggest NOT to use "root" to access your Samba share. Instead, here we'll create users for Samba (and ftp) only with minimal privileges and no login shell.
    First, add the following lines to '/etc/passwd':

    nobody:x:65534:65534:nobody:/mnt:/bin/false
    share:x:65534:65534:share:/mnt/share:/bin/false


    Save the file, then run:
    passwd share

    This will change the password for user "share". 
    Now check the content of the updated /etc/passwd file, the line for user "share" will look like:

    share:$1$2zhNidn9$DJK7SG8aqMg2hDsBYv6yZ.:65534:65534:share:/mnt/share:/bin/false
    The red part is the encrypted password. In the example line above, the password is also set to "share".

    To make the change persistent, create a new start-up script, /opt/etc/init.d/adduser:


    grep -q nobody /etc/passwd || echo 'nobody:x:65534:65534:nobody:/mnt:/bin/false' >> /etc/passwd
    grep -q share /etc/passwd || echo 'share:$1$2zhNidn9$DJK7SG8aqMg2hDsBYv6yZ.:65534:65534:share:/mnt/share:/bin/false' >> /etc/passwd

    Don't forget to change the red part. There are only two long lines above, starting with grep.

    Then set it to run during boot up:
    chmod a+x /opt/etc/init.d/adduser
    ln -s /opt/etc/init.d/adduser /opt/etc/init.d/S05adduser


    The Home folder for user share will be /mnt/share, create it if its not present.

    mkdir -m 777 /mnt/share
    Then use smbpasswd to add a samba user with username "share" and password "share"

    mkdir /etc/samba
    touch /etc/samba/smbpasswd
    smbpasswd share share
    (replace the red part with your own password)

    Copy the newly created /etc/samba/smbpasswd to /opt/etc/samba/smbpasswd to keep the /etc/ folder clean, in the future all configuration files will be stored in /opt/etc/samba. Please leave the /etc/samba folder as its also required by Samba.

    mkdir -p /opt/etc/samba/
    cp -a /etc/samba/* /opt/etc/samba/
    chmod 644 /opt/etc/samba/smbpasswd

  3. Setting smb.conf, the configuration file for Samba
    Use vi or nano (or use your scp client), create file /opt/etc/samba/smb.conf with contents below:

    [global]
            netbios name = DD-WRT
            workgroup = WORKGROUP
            server string = DD-WRT
            syslog = 10
            encrypt passwords = true
            passdb backend = smbpasswd
            obey pam restrictions = yes
            socket options = TCP_NODELAY
            preferred master = no
            os level = 20
            security = user
            guest account = nobody
            invalid users = root
            smb passwd file = /opt/etc/samba/smbpasswd
            unix charset = UTF-8
            dos charset = UTF-8
    [homes]
            comment = Home Directories
            browseable = no
            read only = no
            create mode = 0750
    [USBDrive]
            path = /mnt/
            read only = no
            guest ok = no
            create mask = 0700
            directory mask = 0700


    Now test the file by running

    smbd -s /opt/etc/samba/smb.conf
    and access the Samba server by typing \\192.168.1.1 in the address bar. Login with user "share". You should see two folders: "Share" (/mnt/share) and "USBDrive" (the whole /mnt folder).

    For Windows Vista/7 machine, compatibility must be set to work with the Linux Samba share. See the end of the post.

  4. Run Samba as a service
    If everything works out, it's time for the startup script
    Create file /opt/etc/init.d/samba(delete all previous contents if its not empty).

    kill -9 $(pidof smbd)
    kill -9 $(pidof nmbd)
    /usr/sbin/smbd -s /opt/etc/samba/smb.conf
    #if you installed samba3 through opkg, use
    #/opt/bin/smbd -s /opt/etc/samba/smb.conf


    Then set it to run upon bootup:

    chmod a+x /opt/etc/init.d/samba
    ln -s /opt/etc/init.d/samba /opt/etc/init.d/S50samba

  5. (Optional)Fix Samba and Windows Vista/7
    When accessing Samba from a Windows Vista/7 machine, the password will always be rejected regardless whatever you input. That's because the Samba we used here does not support the new password authorization scheme in Windows.

    To fix:
    Run secpol.msc Go to: Local Policies -> Security Options
    Find "Network Security: LAN Manager authentication level" and change setting from "Send NTLMv2 response only" to "Send LM & NTLM - use NTLMv2 session security if negotiated"

    Some Windows versions may not have secpol.msc, in this case, save these 3 lines below to file sambafix.reg and run it:

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "LmCompatibilityLevel"=dword:00000001

    Reboot the Windows to make the change take effect.

5 comments:

Thank you for post. I am looking for sollution to fix a error in samba dd-wrt. From all computers is working, also from a old Porteus linux distribution. But, from a new linux Porteus distribution, with the same settings is not working. In log samba file I found that the connection wasn't negiciated (something like that)

I do not know that do I have to change.
But thank you for this article!
Have a nice day,
amplatfus

Sorry, I am not familiar with the Porteus distro, but it seems that the newer versions are missing support for SMB connections in the default build.

http://forum.porteus.org/viewtopic.php?f=41&t=1361

Thank you so much. I can confirm here that I managed to make it work in Porteus 1.2. But I do not why is not working with Porteus 2.1 RC.
Here is the topic link: http://forum.porteus.org/viewtopic.php?f=81&t=1725&p=11774#p11774

Extras: "cifs-utils were recompiled under rc1 to get rid of additional deps.
please install this package from standard slackware-14.0 and let us know if that helped." But it did not help.

Have a nice day on.

I forgot to say. This is the new error from terminanl when trying to mount DDWRT share: "mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)", but the share is working from other systems....

Hi again. I have begin to follow this tutorial.
At the step: "Save the file, then run: passwd share" I am receiving:

[code]root@ddwrt:~# smbpasswd share sharepassword
When run by root:
smbpasswd [options] [username]
otherwise:
smbpasswd [options]
[/code]
Could you please post advice?
I am on root@DDWRT:~# smbd --version Version 3.5.21

Post a Comment

Note: Only a member of this blog may post a comment.