Samba: Difference between revisions

From NixOS Wiki
imported>Onsamyj
Clarification for mount as user
imported>Onny
Restructuring page and cleanup
Line 1: Line 1:
This guide will help you on how to use samba on nixos.
This guide will help you on how to use samba on nixos.


== Samba Client ==
== Server setup ==
=== cifs mount ===
 
The following snippets shows how to mount a CIFS (Windows) share in NixOS.
Replace all <code><FIELDS></code> with concrete values:
 
<syntaxhighlight lang="nix">
{
  # For mount.cifs, required unless domain name resolution is not needed.
  environment.systemPackages = [ pkgs.cifs-utils ];
  fileSystems."/mnt/share" = {
    device = "//<IP_OR_HOST>/path/to/share";
    fsType = "cifs";
    options = let
      # this line prevents hanging on network split
      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
 
    in ["${automount_opts},credentials=/etc/nixos/smb-secrets"];
  };
}
</syntaxhighlight>
 
Also create /etc/nixos/smb-secrets with the following content (<code>domain=</code> can be optional)
 
<syntaxhighlight lang="nix">
username=<USERNAME>
domain=<DOMAIN>
password=<PASSWORD>
</syntaxhighlight>
 
=== mount as user ===
By default, CIFS shares are mounted as root. If mounting as user is desirable, `uid`, `gid` and usergroup arguments can be provided as part of the filesystem options:
<syntaxhighlight lang="nix">
{
  fileSystems."/mnt/share" = {
    # ... rest of the filesystem config omitted
    options = let
      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users";
 
      in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
    # or if you have specified `uid` and `gid` explicitly through NixOS configuration,
    # you can refer to them rather than hard-coding the values:
    # in ["${automount_opts},credentials=/etc/nixos/smb-secrets,${config.users.users.<username>.uid},gid=${config.users.groups.<group>.gid}"];
  };
}
</syntaxhighlight>
 
 
== Firewall ==
Samba discovery of machines and shares may need the firewall to be tuned ([https://wiki.archlinux.org/index.php/Samba#.22Browsing.22_network_fails_with_.22Failed_to_retrieve_share_list_from_server.22 source]):
in <code>/etc/nixos/configuration.nix</code>, add:
<syntaxhighlight lang="nix">
networking.firewall.extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
</syntaxhighlight>
 
== Browsing samba shares with GVFS ==
Many GTK-based file managers like Nautilus, Thunar, and PCManFM can browse samba shares thanks to GVFS.
GVFS is a dbus daemon which must be running for this to work.
If you use Gnome, you have nothing to do as the module already enables it for you, but in less full-featured desktop environments, some further configuration options are needed.
 
The generic way of enabling GVFS is to add this in <code>/etc/nixos/configuration.nix</code>:
<syntaxhighlight lang="nix">
services.gvfs.enable = true;
</syntaxhighlight>
 
There are however some special cases.
===== XFCE =====
[[Xfce]] comes with a slimmed-down version of GVFS by default which comes with samba support compiled out. To have smb:// support in Thunar, we will use GNOME's full-featured version of GVFS:
<syntaxhighlight lang="nix">
  services.gvfs = {
    enable = true;
    package = lib.mkForce pkgs.gnome3.gvfs;
  };
</syntaxhighlight>
===== No desktop environment =====
GVFS relies on polkit to gain privileges for some operations. Polkit needs an authentication agent to ask for credentials.
Desktop environments usually provide one but if you have no desktop environment, you may have to install one yourself:
 
Excerpt of <code>/etc/nixos/configuration.nix</code>:
<syntaxhighlight lang="nix">
environment.systemPackages = with pkgs; [ lxqt.lxqt-policykit ]; # provides a default authentification client for policykit
</syntaxhighlight>
 
 
===== DBUS =====
Furthermore, if you happen to start your Window Manager directly, via <code>.xinitrc</code>, or directly invoke a Wayland compositor such as Sway, you should ensure that you launch dbus at startup in your session and export its environment. If you do not have a dbus session in your environment, you will see errors such as "Operation not supported" when attempting to browse the network.
 
For example, if you are using <code>.xinitrc</code>, you could invoke <code>dbus-launch</code>:
<syntaxhighlight lang="bash">
export `dbus-launch` # starts dbus and exports its address
exec xterm # your prefered Window Manager
</syntaxhighlight>
(You need to restart your Window Manager to have the changes in <code>.xinitrc</code> to take place.)
 
If you are using a Wayland compositor like Sway, you can run it under <code>dbus-run-session</code> for the same effect:
<syntaxhighlight lang="bash">
dbus-run-session sway
</syntaxhighlight>
 
(Because <code>dbus-run-session</code> exits when the child process exits, it is only appropriate to use <code>dbus-run-session</code> with a process that will be running during the entire session. This is the case for Wayland compositors, but is not necessarily true for all configurations of X11 window managers.)


== Samba Server ==
Example setup for creating a public guest share called <code>public</code> and a private share called <code>private</code>. The <code>samba-wsdd</code> service is used to advertise the shares to Windows hosts.
=== excerpt of /etc/nixos/configuration.nix ===


<syntaxhighlight lang="nix">
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
services.samba-wsdd = {
  # make shares visible for Windows clients
  enable = true;
  openFirewall = true;
};
services.samba = {
services.samba = {
   enable = true;
   enable = true;
   securityType = "user";
   securityType = "user";
  openFirewall = true;
   extraConfig = ''
   extraConfig = ''
     workgroup = WORKGROUP
     workgroup = WORKGROUP
Line 150: Line 46:
   };
   };
};
};
</syntaxhighlight>


If your firewall is enabled, or if you consider enabling it:
services.samba-wsdd = {
<syntaxhighlight lang="nix">
  enable = true;
  openFirewall = true;
};
 
networking.firewall.enable = true;
networking.firewall.enable = true;
networking.firewall.allowPing = true;
networking.firewall.allowPing = true;
services.samba.openFirewall = true;
</nowiki>}}
</syntaxhighlight>
 
{{Evaluate}}
 
Samba should startup afterwards.


=== User Authentication ===
=== User Authentication ===


For a user to be authenticated on the samba server, you must add their password using <code>smbpasswd -a <user></code> as root.
For a user called <code>my_user</code>to be authenticated on the samba server, you must add their password using


=== stopping/restarting the services ===
<syntaxhighlight lang="bash">
<syntaxhighlight lang="console">
smbpasswd -a my_user
# systemctl stop samba-smbd.service
# systemctl start samba-smbd.service
# systemctl restart samba-smbd.service
</syntaxhighlight>
</syntaxhighlight>


=== Use Cases ===
=== Configuration ===
 
==== Apple Time Machine ====
==== Apple Time Machine ====
Example configuration:
Example configuration:
<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
services.samba = {
services.samba = {
Line 195: Line 88:


==== Printer sharing ====
==== Printer sharing ====
The `samba` packages comes without cups support compiled in, however `sambaFull` features printer sharing support.
To use it set the `services.samba.package` option:


<syntaxhighlight lang=nix>
<syntaxhighlight lang=nix>
Line 203: Line 93:
</syntaxhighlight>
</syntaxhighlight>


A printer share that allows all members in the local network printing could look like this:
A printer share that allows printing to all members in the local network


<syntaxhighlight lang=nix>
{{file|/etc/nixos/configuration.nix|nix|<nowiki>
{ pkgs, ... }: {
services.samba = {
  services.samba = {
  enable = true;
    enable = true;
  package = pkgs.sambaFull;
    package = pkgs.sambaFull;
  openFirewall = true;
    openFirewall = true; # Automatically open firewall ports
  extraConfig = ''
    extraConfig = ''
    load printers = yes
      load printers = yes
    printing = cups
      printing = cups
    printcap name = cups
      printcap name = cups
  '';
    '';
  shares = {
    shares = {
    printers = {
      printers = {
      comment = "All Printers";
        comment = "All Printers";
      path = "/var/spool/samba";
        path = "/var/spool/samba";
      public = "yes";
        public = "yes";
      browseable = "yes";
        browseable = "yes";
      # to allow user 'guest account' to print.
        # to allow user 'guest account' to print.
      "guest ok" = "yes";
        "guest ok" = "yes";
      writable = "no";
        writable = "no";
      printable = "yes";
        printable = "yes";
      "create mode" = 0700;
        "create mode" = 0700;
      };
     };
     };
   };
   };
  systemd.tmpfiles.rules = [
};
    "d /var/spool/samba 1777 root root -"
systemd.tmpfiles.rules = [
  ];
  "d /var/spool/samba 1777 root root -"
}
];
</syntaxhighlight>
</nowiki>}}
 
The `samba` packages comes without [[Printing|CUPS printing]] support compiled in, however `sambaFull` features printer sharing support.


==== Active Directory Domain Controller ====
==== Active Directory Domain Controller ====
Line 334: Line 224:
Then restart the samba service with <code>sudo systemctl restart samba</code>, and you're ready to go!
Then restart the samba service with <code>sudo systemctl restart samba</code>, and you're ready to go!


==Troubleshooting==
== Samba Client ==
 
=== cifs mount ===
 
The following snippets shows how to mount a CIFS (Windows) share in NixOS.
Replace all <code><FIELDS></code> with concrete values:
 
<syntaxhighlight lang="nix">
{
  # For mount.cifs, required unless domain name resolution is not needed.
  environment.systemPackages = [ pkgs.cifs-utils ];
  fileSystems."/mnt/share" = {
    device = "//<IP_OR_HOST>/path/to/share";
    fsType = "cifs";
    options = let
      # this line prevents hanging on network split
      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
 
    in ["${automount_opts},credentials=/etc/nixos/smb-secrets"];
  };
}
</syntaxhighlight>
 
Also create /etc/nixos/smb-secrets with the following content (<code>domain=</code> can be optional)
 
<syntaxhighlight lang="nix">
username=<USERNAME>
domain=<DOMAIN>
password=<PASSWORD>
</syntaxhighlight>
 
=== mount as user ===
 
By default, CIFS shares are mounted as root. If mounting as user is desirable, `uid`, `gid` and usergroup arguments can be provided as part of the filesystem options:
<syntaxhighlight lang="nix">
{
  fileSystems."/mnt/share" = {
    # ... rest of the filesystem config omitted
    options = let
      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users";
 
      in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
    # or if you have specified `uid` and `gid` explicitly through NixOS configuration,
    # you can refer to them rather than hard-coding the values:
    # in ["${automount_opts},credentials=/etc/nixos/smb-secrets,${config.users.users.<username>.uid},gid=${config.users.groups.<group>.gid}"];
  };
}
</syntaxhighlight>
 
 
== Firewall ==
Samba discovery of machines and shares may need the firewall to be tuned ([https://wiki.archlinux.org/index.php/Samba#.22Browsing.22_network_fails_with_.22Failed_to_retrieve_share_list_from_server.22 source]):
in <code>/etc/nixos/configuration.nix</code>, add:
<syntaxhighlight lang="nix">
networking.firewall.extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';
</syntaxhighlight>
 
== Browsing samba shares with GVFS ==
Many GTK-based file managers like Nautilus, Thunar, and PCManFM can browse samba shares thanks to GVFS.
GVFS is a dbus daemon which must be running for this to work.
If you use Gnome, you have nothing to do as the module already enables it for you, but in less full-featured desktop environments, some further configuration options are needed.
 
The generic way of enabling GVFS is to add this in <code>/etc/nixos/configuration.nix</code>:
<syntaxhighlight lang="nix">
services.gvfs.enable = true;
</syntaxhighlight>
 
There are however some special cases.
===== XFCE =====
[[Xfce]] comes with a slimmed-down version of GVFS by default which comes with samba support compiled out. To have smb:// support in Thunar, we will use GNOME's full-featured version of GVFS:
<syntaxhighlight lang="nix">
  services.gvfs = {
    enable = true;
    package = lib.mkForce pkgs.gnome3.gvfs;
  };
</syntaxhighlight>
===== No desktop environment =====
GVFS relies on polkit to gain privileges for some operations. Polkit needs an authentication agent to ask for credentials.
Desktop environments usually provide one but if you have no desktop environment, you may have to install one yourself:
 
Excerpt of <code>/etc/nixos/configuration.nix</code>:
<syntaxhighlight lang="nix">
environment.systemPackages = with pkgs; [ lxqt.lxqt-policykit ]; # provides a default authentification client for policykit
</syntaxhighlight>
 
 
===== DBUS =====
Furthermore, if you happen to start your Window Manager directly, via <code>.xinitrc</code>, or directly invoke a Wayland compositor such as Sway, you should ensure that you launch dbus at startup in your session and export its environment. If you do not have a dbus session in your environment, you will see errors such as "Operation not supported" when attempting to browse the network.
 
For example, if you are using <code>.xinitrc</code>, you could invoke <code>dbus-launch</code>:
<syntaxhighlight lang="bash">
export `dbus-launch` # starts dbus and exports its address
exec xterm # your prefered Window Manager
</syntaxhighlight>
(You need to restart your Window Manager to have the changes in <code>.xinitrc</code> to take place.)
 
If you are using a Wayland compositor like Sway, you can run it under <code>dbus-run-session</code> for the same effect:
<syntaxhighlight lang="bash">
dbus-run-session sway
</syntaxhighlight>
 
(Because <code>dbus-run-session</code> exits when the child process exits, it is only appropriate to use <code>dbus-run-session</code> with a process that will be running during the entire session. This is the case for Wayland compositors, but is not necessarily true for all configurations of X11 window managers.)
 
== Troubleshooting ==
 
=== Server log ===
=== Server log ===
<pre>
<pre>
sudo journalctl -u samba-smbd.service -f
sudo journalctl -u samba-smbd.service -f
Line 341: Line 336:


=== Stale file handle ===
=== Stale file handle ===
Trying to read the contents of a remote file leads to the following error message: "Stale file handle". If you have mounted a share via the method described in "cfis mount", adding the option <code>noserverino</code> might fix this problem. [https://askubuntu.com/questions/1265164/stale-file-handler-when-mounting-cifs-smb-network-drive-from-fritz-router]
Trying to read the contents of a remote file leads to the following error message: "Stale file handle". If you have mounted a share via the method described in "cfis mount", adding the option <code>noserverino</code> might fix this problem. [https://askubuntu.com/questions/1265164/stale-file-handler-when-mounting-cifs-smb-network-drive-from-fritz-router]


=== List shares ===
=== List shares ===
<pre>
<pre>
smbclient --list localhost
smbclient --list localhost
Line 389: Line 386:


=== Permission denied ===
=== Permission denied ===
Maybe check the <code>guest account</code> setting in your server config.
Maybe check the <code>guest account</code> setting in your server config.
The default value is <code>nobody</code>,
The default value is <code>nobody</code>,
Line 403: Line 401:


== See also ==
== See also ==
* [https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.samba Samba Options in NixOS on unstable]
* [https://search.nixos.org/options?channel=unstable&from=0&size=50&sort=relevance&type=packages&query=services.samba Samba Options in NixOS on unstable]
* [https://wiki.archlinux.org/title/Samba Samba in the Arch Linux Wiki]
* [https://wiki.archlinux.org/title/Samba Samba in the Arch Linux Wiki]


[[Category:Services]]
[[Category:Services]]

Revision as of 19:19, 24 February 2024

This guide will help you on how to use samba on nixos.

Server setup

Example setup for creating a public guest share called public and a private share called private. The samba-wsdd service is used to advertise the shares to Windows hosts.

/etc/nixos/configuration.nix
services.samba = {
  enable = true;
  securityType = "user";
  openFirewall = true;
  extraConfig = ''
    workgroup = WORKGROUP
    server string = smbnix
    netbios name = smbnix
    security = user 
    #use sendfile = yes
    #max protocol = smb2
    # note: localhost is the ipv6 localhost ::1
    hosts allow = 192.168.0. 127.0.0.1 localhost
    hosts deny = 0.0.0.0/0
    guest account = nobody
    map to guest = bad user
  '';
  shares = {
    public = {
      path = "/mnt/Shares/Public";
      browseable = "yes";
      "read only" = "no";
      "guest ok" = "yes";
      "create mask" = "0644";
      "directory mask" = "0755";
      "force user" = "username";
      "force group" = "groupname";
    };
    private = {
      path = "/mnt/Shares/Private";
      browseable = "yes";
      "read only" = "no";
      "guest ok" = "no";
      "create mask" = "0644";
      "directory mask" = "0755";
      "force user" = "username";
      "force group" = "groupname";
    };
  };
};

services.samba-wsdd = {
  enable = true;
  openFirewall = true;
};

networking.firewall.enable = true;
networking.firewall.allowPing = true;

User Authentication

For a user called my_userto be authenticated on the samba server, you must add their password using

smbpasswd -a my_user

Configuration

Apple Time Machine

Example configuration:

services.samba = {
  shares = {
    tm_share = {
        path = "/mnt/Shares/tm_share";
        "valid users" = "username";
        public = "no";
        writeable = "yes";
        "force user" = "username";
        "fruit:aapl" = "yes";
        "fruit:time machine" = "yes";
        "vfs objects" = "catia fruit streams_xattr";
    };
  };
}

Printer sharing

services.samba.package = pkgs.sambaFull;

A printer share that allows printing to all members in the local network

/etc/nixos/configuration.nix
services.samba = {
  enable = true;
  package = pkgs.sambaFull;
  openFirewall = true;
  extraConfig = ''
    load printers = yes
    printing = cups
    printcap name = cups
  '';
  shares = {
    printers = {
      comment = "All Printers";
      path = "/var/spool/samba";
      public = "yes";
      browseable = "yes";
      # to allow user 'guest account' to print.
      "guest ok" = "yes";
      writable = "no";
      printable = "yes";
      "create mode" = 0700;
    };
  };
};
systemd.tmpfiles.rules = [
  "d /var/spool/samba 1777 root root -"
];

The `samba` packages comes without CUPS printing support compiled in, however `sambaFull` features printer sharing support.

Active Directory Domain Controller

We will setup an AD DC just like the the Samba Wiki. Let's add the following nix config, updating the adDomain, adWorkgroup, adNetbiosName and staticIp according to your needs.

{ config, lib, pkgs, ... }:
with lib;

let
  cfg = config.services.samba;
  samba = cfg.package;
  nssModulesPath = config.system.nssModules.path;
  adDomain = "samdom.example.com";
  adWorkgroup = "SAM";
  adNetbiosName = "SAMDOM";
  staticIp = "10.42.129.160";
in {
  # Disable resolveconf, we're using Samba internal DNS backend
  systemd.services.resolvconf.enable = false;
  environment.etc = {
    resolvconf = {
      text = ''
        search ${adDomain}
        nameserver ${staticIp}
      '';
    };
  };

  # Rebuild Samba with LDAP, MDNS and Domain Controller support
  nixpkgs.overlays = [ (self: super: {
    samba = (super.samba.override {
      enableLDAP = true;
      enableMDNS = true;
      enableDomainController = true;
      enableProfiling = true; # Optional for logging
       # Set pythonpath manually (bellow with overrideAttrs) as it is not set on 22.11 due to bug
    }).overrideAttrs (finalAttrs: previousAttrs: {
        pythonPath = with super; [ python3Packages.dnspython tdb ldb talloc ];
      });
  })];

  # Disable default Samba `smbd` service, we will be using the `samba` server binary
  systemd.services.samba-smbd.enable = false;  
  systemd.services.samba = {
    description = "Samba Service Daemon";

    requiredBy = [ "samba.target" ];
    partOf = [ "samba.target" ];

    serviceConfig = {
      ExecStart = "${samba}/sbin/samba --foreground --no-process-group";
      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
      LimitNOFILE = 16384;
      PIDFile = "/run/samba.pid";
      Type = "notify";
      NotifyAccess = "all"; #may not do anything...
    };
    unitConfig.RequiresMountsFor = "/var/lib/samba";
  };
  services.samba = {
    enable = true;
    enableNmbd = false;
    enableWinbindd = false;
    configText = ''
      # Global parameters
      [global]
          dns forwarder = ${staticIp}
          netbios name = ${adNetbiosName}
          realm = ${toUpper adDomain}
          server role = active directory domain controller
          workgroup = ${adWorkgroup}
          idmap_ldb:use rfc2307 = yes

      [sysvol]
          path = /var/lib/samba/sysvol
          read only = No

      [netlogon]
          path = /var/lib/samba/sysvol/${adDomain}/scripts
          read only = No
    '';
  };  
}

After evaluating, you should see that the Samba service crashed because we haven't setup the database yet.

To do that, let's run the following command, updated with your own configuration:

samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=SAMDOM.EXAMPLE.COM --domain=SAMDOM --adminpass=Passw0rd

Then restart the samba service with sudo systemctl restart samba, and you're ready to go!

Samba Client

cifs mount

The following snippets shows how to mount a CIFS (Windows) share in NixOS. Replace all <FIELDS> with concrete values:

{
  # For mount.cifs, required unless domain name resolution is not needed.
  environment.systemPackages = [ pkgs.cifs-utils ];
  fileSystems."/mnt/share" = {
    device = "//<IP_OR_HOST>/path/to/share";
    fsType = "cifs";
    options = let
      # this line prevents hanging on network split
      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";

    in ["${automount_opts},credentials=/etc/nixos/smb-secrets"];
  };
}

Also create /etc/nixos/smb-secrets with the following content (domain= can be optional)

username=<USERNAME>
domain=<DOMAIN>
password=<PASSWORD>

mount as user

By default, CIFS shares are mounted as root. If mounting as user is desirable, `uid`, `gid` and usergroup arguments can be provided as part of the filesystem options:

{
  fileSystems."/mnt/share" = {
    # ... rest of the filesystem config omitted
    options = let
      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s,user,users";

      in ["${automount_opts},credentials=/etc/nixos/smb-secrets,uid=1000,gid=100"];
    # or if you have specified `uid` and `gid` explicitly through NixOS configuration,
    # you can refer to them rather than hard-coding the values:
    # in ["${automount_opts},credentials=/etc/nixos/smb-secrets,${config.users.users.<username>.uid},gid=${config.users.groups.<group>.gid}"];
  };
}


Firewall

Samba discovery of machines and shares may need the firewall to be tuned (source): in /etc/nixos/configuration.nix, add:

networking.firewall.extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns'';

Browsing samba shares with GVFS

Many GTK-based file managers like Nautilus, Thunar, and PCManFM can browse samba shares thanks to GVFS. GVFS is a dbus daemon which must be running for this to work. If you use Gnome, you have nothing to do as the module already enables it for you, but in less full-featured desktop environments, some further configuration options are needed.

The generic way of enabling GVFS is to add this in /etc/nixos/configuration.nix:

services.gvfs.enable = true;

There are however some special cases.

XFCE

Xfce comes with a slimmed-down version of GVFS by default which comes with samba support compiled out. To have smb:// support in Thunar, we will use GNOME's full-featured version of GVFS:

  services.gvfs = {
    enable = true;
    package = lib.mkForce pkgs.gnome3.gvfs;
  };
No desktop environment

GVFS relies on polkit to gain privileges for some operations. Polkit needs an authentication agent to ask for credentials. Desktop environments usually provide one but if you have no desktop environment, you may have to install one yourself:

Excerpt of /etc/nixos/configuration.nix:

environment.systemPackages = with pkgs; [ lxqt.lxqt-policykit ]; # provides a default authentification client for policykit


DBUS

Furthermore, if you happen to start your Window Manager directly, via .xinitrc, or directly invoke a Wayland compositor such as Sway, you should ensure that you launch dbus at startup in your session and export its environment. If you do not have a dbus session in your environment, you will see errors such as "Operation not supported" when attempting to browse the network.

For example, if you are using .xinitrc, you could invoke dbus-launch:

export `dbus-launch` # starts dbus and exports its address
exec xterm # your prefered Window Manager

(You need to restart your Window Manager to have the changes in .xinitrc to take place.)

If you are using a Wayland compositor like Sway, you can run it under dbus-run-session for the same effect:

dbus-run-session sway

(Because dbus-run-session exits when the child process exits, it is only appropriate to use dbus-run-session with a process that will be running during the entire session. This is the case for Wayland compositors, but is not necessarily true for all configurations of X11 window managers.)

Troubleshooting

Server log

sudo journalctl -u samba-smbd.service -f

Stale file handle

Trying to read the contents of a remote file leads to the following error message: "Stale file handle". If you have mounted a share via the method described in "cfis mount", adding the option noserverino might fix this problem. [1]

List shares

smbclient --list localhost

This should print

$ smbclient --list localhost 
Password for [WORKGROUP\user]:

	Sharename       Type      Comment
	---------       ----      -------
	public          Disk      
	IPC$            IPC       IPC Service (smbnix)
SMB1 disabled -- no workgroup available

NT_STATUS_INVALID_NETWORK_RESPONSE

The error protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE means "access denied". Probably you must fix your server's hosts allow section. Note that localhost is the ipv6 localhost ::1, and 127.0.0.1 is the ipv4 localhost

Mount shares

mount as guest. public is your share name

nix-shell -p cifs-utils
mkdir mnt
sudo mount.cifs -o sec=none //localhost/public mnt

mount as user. user is your username

sudo mount.cifs -o sec=ntlmssp,username=user //localhost/public mnt

sec=ntlmssp should work. for more values, see `man mount.cifs` (search for `sec=arg`)

Permission denied

Maybe check the guest account setting in your server config. The default value is nobody, but the user nobody has no access to /home/user:

$ sudo -u nobody ls /home/user
[sudo] password for user: 
ls: cannot open directory '/home/user': Permission denied

As workaround, set guest account = user, where user is your username

See also