Samba: Difference between revisions

(13 intermediate revisions by 11 users not shown)

Line 1:

This guide will help you on how to use samba on nixos.

== Usershares ==

You can allow some users to share via samba a given directory simply via a right click in their file browser (tested with Dolphin). For that, first add this configuration (make sure to add your user in the samba group):

{{file|/etc/nixos/configuration.nix|nix|<nowiki>

{ pkgs, config, ... }: {

services.samba = {

# The full package is needed to register mDNS records (for discoverability), see discussion in

# https://gist.github.com/vy-let/a030c1079f09ecae4135aebf1e121ea6

package = pkgs.samba4Full;

usershares.enable = true;

enable = true;

openFirewall = true;

};

# To be discoverable with windows

services.samba-wsdd = {

enable = true;

openFirewall = true;

};

# Make sure your user is in the samba group

users.users.YOURUSER = {

isNormalUser = true;

extraGroups = [ "samba" ];

};

}

</nowiki>}}

Then, logout and login (to make sure your group change has been taken into account), open Dolphin, right click on a folder you'd like to share, go to Properties, Tab "Share", and configure it the way you want.

== Server setup ==

Line 8:

Line 39:

services.samba = {

enable = true;

~~securityType = "user";~~

openFirewall = true;

~~extraConfig~~ = ''

settings = {

workgroup = WORKGROUP

global = {

server string = smbnix

"workgroup" = "WORKGROUP";

netbios name = smbnix

"server string" = "smbnix";

security = user

"netbios name" = "smbnix";

#use sendfile = yes

"security" = "user";

#max protocol = smb2

#"use sendfile" = "yes";

# note: localhost is the ipv6 localhost ::1

#"max protocol" = "smb2";

hosts allow = 192.168.0. 127.0.0.1 localhost

# note: localhost is the ipv6 localhost ::1

hosts deny = 0.0.0.0/0

"hosts allow" = "192.168.0. 127.0.0.1 localhost";

guest account = nobody

"hosts deny" = "0.0.0.0/0";

map to guest = bad user

"guest account" = "nobody";

'';

"map to guest" = "bad user";

~~shares = {~~

};

public = {

"public" = {

path = "/mnt/Shares/Public";

"path" = "/mnt/Shares/Public";

browseable = "yes";

"browseable" = "yes";

"read only" = "no";

"guest ok" = "yes";

Line 34:

Line 64:

"force group" = "groupname";

};

private = {

"private" = {

path = "/mnt/Shares/Private";

"path" = "/mnt/Shares/Private";

browseable = "yes";

"browseable" = "yes";

"read only" = "no";

"guest ok" = "no";

Line 52:

Line 82:

};

services.avahi = {

publish.enable = true;

publish.userServices = true;

# ^^ Needed to allow samba to automatically register mDNS records (without the need for an `extraServiceFile`

nssmdns4 = true;

# ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it

enable = true;

openFirewall = true;

};

networking.firewall.enable = true;

Line 71:

Line 100:

=== User Authentication ===

For a user called <code>my_user</code>to be authenticated on the samba server, you ~~must~~ add ~~their~~ password using

For a user called <code>my_user</code>to be authenticated on the samba server, you can add a password using:

smbpasswd -a my_user

sudo smbpasswd -a my_user

</syntaxhighlight>

To automate creation of the samba user and the required system user, you can use [https://search.nixos.org/options?show=system.activationScripts system.activationScripts]:

{

# Make the samba user "my_user" on the system

users.users.my_user = {

description = "Write-access to samba media shares";

# Add this user to a group with permission to access the expected files

extraGroups = [ "users" ];

# Password can be set in clear text with a literal string or from a file.

# Using sops-nix we can use the same file so that the system user and samba

# user share the same credential (if desired).

hashedPasswordFile = config.sops.secrets.samba.path;

isNormalUser = true;

};

# Set "my_user" as a valid samba login

services.samba = {

enable = true;

openFirewall = true;

settings = {

global = {

# ...

"security" = "user";

};

my_share_directory = {

# ...

"valid users" = "my_user";

};

# Activation scripts run every time nixos switches build profiles. So if you're

# pulling the user/samba password from a file then it will be updated during

# nixos-rebuild. Again, in this example we're using sops-nix with a "samba" entry

# to avoid cleartext password, but this could be replaced with a static path.

system.activationScripts = {

# The "init_smbpasswd" script name is arbitrary, but a useful label for tracking

# failed scripts in the build output. An absolute path to smbpasswd is necessary

# as it is not in $PATH in the activation script's environment. The password

# is repeated twice with newline characters as smbpasswd requires a password

# confirmation even in non-interactive mode where input is piped in through stdin.

init_smbpasswd.text = ''

/run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.sops.secrets.samba.path})\n$(/run/current-system/sw/bin/cat ${config.sops.secrets.samba.path})\n" | /run/current-system/sw/bin/smbpasswd -sa my_user

'';

};

}

</syntaxhighlight>

=== Configuration ===

Line 85:

Line 164:

services.samba = {

~~shares~~ = {

settings = {

tm_share = {

"tm_share" = {

path = "/mnt/Shares/tm_share";

"path" = "/mnt/Shares/tm_share";

"valid users" = "username";

public = "no";

"public" = "no";

writeable = "yes";

"writeable" = "yes";

"force user" = "username";

# Below are the most imporant for macOS compatibility

# Change the above to suit your needs

Line 120:

Line 199:

<type>_adisk._tcp</type>

<!--

change tm_share to share name, if you changed it.

-->

<txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record>

<txt-record>sys=waMa=0,adVF=0x100</txt-record>

Line 142:

Line 224:

package = pkgs.sambaFull;

openFirewall = true;

~~extraConfig~~ = ''

settings = {

load printers = yes

"global" = {

printing = cups

"load printers" = "yes";

printcap name = cups

"printing" = "cups";

'';

"printcap name" = "cups";

~~shares = {~~

};

printers = {

"printers" = {

comment = "All Printers";

"comment" = "All Printers";

path = "/var/spool/samba";

"path" = "/var/spool/samba";

public = "yes";

"public" = "yes";

browseable = "yes";

"browseable" = "yes";

# to allow user 'guest account' to print.

"guest ok" = "yes";

writable = "no";

"writable" = "no";

printable = "yes";

"printable" = "yes";

"create mode" = 0700;

};

Line 270:

Line 352:

=== CIFS mount configuration ===

The following snippets shows how to mount a CIFS (Windows) share in NixOS.

Note the inclusion of the <code>"nofail"</code> option; NixOS will treat CIFS shares like any other mounted drive, and this will allow the system to boot correctly if the mounted NAS is off or if the network is slow to initialize.

Replace all <code><FIELDS></code> with concrete values:

Line 284:

Line 369:

automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";

in ["${automount_opts},credentials=/etc/nixos/smb-secrets"];

in ["${automount_opts},credentials=/etc/nixos/smb-secrets" "nofail"];

};

}

Line 378:

Line 463:

services.gvfs = {

enable = true;

package = lib.mkForce pkgs.~~gnome3~~.gvfs;

package = lib.mkForce pkgs.gnome.gvfs;

};

</syntaxhighlight>

Line 450:

Line 535:

* [https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.samba Samba Options in NixOS on unstable]

* [https://wiki.archlinux.org/title/Samba Samba in the Arch Linux Wiki]

* [https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html smb.conf man page]

[[Category:Server]]

[[Category:Applications]]

@@ Line 1: / Line 1: @@
 This guide will help you on how to use samba on nixos.
+== Usershares ==
+You can allow some users to share via samba a given directory simply via a right click in their file browser (tested with Dolphin). For that, first add this configuration (make sure to add your user in the samba group):
+{{file|/etc/nixos/configuration.nix|nix|<nowiki>
+{ pkgs, config, ... }: {
+  services.samba = {
+    # The full package is needed to register mDNS records (for discoverability), see discussion in
+    # https://gist.github.com/vy-let/a030c1079f09ecae4135aebf1e121ea6
+    package = pkgs.samba4Full;
+    usershares.enable = true;
+    enable = true;
+    openFirewall = true;
+  };
+  # To be discoverable with windows
+  services.samba-wsdd = {
+    enable = true;
+    openFirewall = true;
+  };
+  # Make sure your user is in the samba group
+  users.users.YOURUSER = {
+    isNormalUser = true;
+    extraGroups = [ "samba" ];
+  };
+}
+</nowiki>}}
+Then, logout and login (to make sure your group change has been taken into account), open Dolphin, right click on a folder you'd like to share, go to Properties, Tab "Share", and configure it the way you want.
 == Server setup ==
@@ Line 8: / Line 39: @@
 services.samba = {
    enable = true;
-  securityType = "user";
    openFirewall = true;
-   extraConfig = ''
+   settings = {
-     workgroup = WORKGROUP
+     global = {
-    server string = smbnix
+      "workgroup" = "WORKGROUP";
-    netbios name = smbnix
+      "server string" = "smbnix";
-    security = user
+      "netbios name" = "smbnix";
-    #use sendfile = yes
+      "security" = "user";
-    #max protocol = smb2
+      #"use sendfile" = "yes";
-    # note: localhost is the ipv6 localhost ::1
+      #"max protocol" = "smb2";
-    hosts allow = 192.168.0. 127.0.0.1 localhost
+      # note: localhost is the ipv6 localhost ::1
-    hosts deny = 0.0.0.0/0
+      "hosts allow" = "192.168.0. 127.0.0.1 localhost";
-    guest account = nobody
+      "hosts deny" = "0.0.0.0/0";
-    map to guest = bad user
+      "guest account" = "nobody";
-  '';
+      "map to guest" = "bad user";
-  shares = {
+    };
-     public = {
+     "public" = {
-       path = "/mnt/Shares/Public";
+       "path" = "/mnt/Shares/Public";
-       browseable = "yes";
+       "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "yes";
@@ Line 34: / Line 64: @@
        "force group" = "groupname";
      };
-     private = {
+     "private" = {
-       path = "/mnt/Shares/Private";
+       "path" = "/mnt/Shares/Private";
-       browseable = "yes";
+       "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
@@ Line 52: / Line 82: @@
 };
-  services.avahi = {
+services.avahi = {
-    publish.enable = true;
+  publish.enable = true;
-    publish.userServices = true;
+  publish.userServices = true;
-    # ^^ Needed to allow samba to automatically register mDNS records (without the need for an `extraServiceFile`
+  # ^^ Needed to allow samba to automatically register mDNS records (without the need for an `extraServiceFile`
-    nssmdns4 = true;
+  nssmdns4 = true;
-    # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it
+  # ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it
-    enable = true;
+  enable = true;
-    openFirewall = true;
+  openFirewall = true;
-  };
+};
 networking.firewall.enable = true;
@@ Line 71: / Line 100: @@
 === User Authentication ===
-For a user called <code>my_user</code>to be authenticated on the samba server, you must add their password using
+For a user called <code>my_user</code>to be authenticated on the samba server, you can add a password using:
 <syntaxhighlight lang="bash">
-smbpasswd -a my_user
+sudo smbpasswd -a my_user
 </syntaxhighlight>
+To automate creation of the samba user and the required system user, you can use [https://search.nixos.org/options?show=system.activationScripts system.activationScripts]:
+<syntaxhighlight lang="nix">
+{
+  # Make the samba user "my_user" on the system
+  users.users.my_user = {
+    description = "Write-access to samba media shares";
+    # Add this user to a group with permission to access the expected files
+    extraGroups = [ "users" ];
+    # Password can be set in clear text with a literal string or from a file.
+    # Using sops-nix we can use the same file so that the system user and samba
+    # user share the same credential (if desired).
+    hashedPasswordFile = config.sops.secrets.samba.path;
+    isNormalUser = true;
+  };
+  # Set "my_user" as a valid samba login
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      global = {
+        # ...
+        "security" = "user";
+      };
+      my_share_directory = {
+        # ...
+        "valid users" = "my_user";
+      };
+    };
+  };
+  # Activation scripts run every time nixos switches build profiles. So if you're
+  # pulling the user/samba password from a file then it will be updated during
+  # nixos-rebuild. Again, in this example we're using sops-nix with a "samba" entry
+  # to avoid cleartext password, but this could be replaced with a static path.
+  system.activationScripts = {
+    # The "init_smbpasswd" script name is arbitrary, but a useful label for tracking
+    # failed scripts in the build output. An absolute path to smbpasswd is necessary
+    # as it is not in $PATH in the activation script's environment. The password
+    # is repeated twice with newline characters as smbpasswd requires a password
+    # confirmation even in non-interactive mode where input is piped in through stdin.
+    init_smbpasswd.text = ''
+      /run/current-system/sw/bin/printf "$(/run/current-system/sw/bin/cat ${config.sops.secrets.samba.path})\n$(/run/current-system/sw/bin/cat ${config.sops.secrets.samba.path})\n" | /run/current-system/sw/bin/smbpasswd -sa my_user
+    '';
+  };
+}
+</syntaxhighlight>
 === Configuration ===
@@ Line 85: / Line 164: @@
 <syntaxhighlight lang="nix">
 services.samba = {
-   shares = {
+   settings = {
-     tm_share = {
+     "tm_share" = {
-         path = "/mnt/Shares/tm_share";
+         "path" = "/mnt/Shares/tm_share";
          "valid users" = "username";
-         public = "no";
+         "public" = "no";
-         writeable = "yes";
+         "writeable" = "yes";
          "force user" = "username";
          # Below are the most imporant for macOS compatibility
          # Change the above to suit your needs
@@ Line 120: / Line 199: @@
          <service>
            <type>_adisk._tcp</type>
+          <!--
+            change tm_share to share name, if you changed it.
+          -->
            <txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record>
            <txt-record>sys=waMa=0,adVF=0x100</txt-record>
@@ Line 142: / Line 224: @@
    package = pkgs.sambaFull;
    openFirewall = true;
-   extraConfig = ''
+   settings = {
-     load printers = yes
+     "global" = {
-    printing = cups
+      "load printers" = "yes";
-    printcap name = cups
+      "printing" = "cups";
-  '';
+      "printcap name" = "cups";
-  shares = {
+    };
-     printers = {
+     "printers" = {
-       comment = "All Printers";
+       "comment" = "All Printers";
-       path = "/var/spool/samba";
+       "path" = "/var/spool/samba";
-       public = "yes";
+       "public" = "yes";
-       browseable = "yes";
+       "browseable" = "yes";
        # to allow user 'guest account' to print.
        "guest ok" = "yes";
-       writable = "no";
+       "writable" = "no";
-       printable = "yes";
+       "printable" = "yes";
        "create mode" = 0700;
      };
@@ Line 270: / Line 352: @@
 === CIFS mount configuration ===
 The following snippets shows how to mount a CIFS (Windows) share in NixOS.
+Note the inclusion of the <code>"nofail"</code> option; NixOS will treat CIFS shares like any other mounted drive, and this will allow the system to boot correctly if the mounted NAS is off or if the network is slow to initialize.
 Replace all <code><FIELDS></code> with concrete values:
@@ Line 284: / Line 369: @@
        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
-     in ["${automount_opts},credentials=/etc/nixos/smb-secrets"];
+     in ["${automount_opts},credentials=/etc/nixos/smb-secrets" "nofail"];
    };
 }
@@ Line 378: / Line 463: @@
    services.gvfs = {
      enable = true;
-     package = lib.mkForce pkgs.gnome3.gvfs;
+     package = lib.mkForce pkgs.gnome.gvfs;
    };
 </syntaxhighlight>
@@ Line 450: / Line 535: @@
 * [https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.samba Samba Options in NixOS on unstable]
 * [https://wiki.archlinux.org/title/Samba Samba in the Arch Linux Wiki]
+* [https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html smb.conf man page]
 [[Category:Server]]
 [[Category:Applications]]