What's Actually Happening
Samba file shares are not accessible from client machines. Connection attempts fail with permission errors or timeouts.
The Error You'll See
```bash $ smbclient //server/share -U user
session setup failed: NT_STATUS_LOGON_FAILURE ```
Connection error:
tree connect failed: NT_STATUS_BAD_NETWORK_NAMEPermission denied:
NT_STATUS_ACCESS_DENIEDProtocol error:
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSEWhy This Happens
- 1.Service not running - smbd or nmbd not started
- 2.Permission issues - File system or share permissions
- 3.Configuration errors - smb.conf misconfigured
- 4.Authentication failure - User/password incorrect
- 5.SELinux blocking - Security policy preventing access
- 6.Firewall blocking - Ports not open
- 7.Network issues - Client cannot reach server
Step 1: Check Samba Services
```bash # Check Samba services: systemctl status smbd systemctl status nmbd
# Start services: systemctl start smbd nmbd
# Enable at boot: systemctl enable smbd nmbd
# Check processes: ps aux | grep -E "smbd|nmbd"
# Check ports: netstat -tlnp | grep -E "139|445"
# Samba ports: # 139 - NetBIOS Session Service # 445 - SMB over TCP
# Check configuration: testparm
# Check for config errors: testparm -s 2>&1 | grep -i error
# View smb.conf: cat /etc/samba/smb.conf
# Check logs: journalctl -u smbd -f tail -f /var/log/samba/log.smbd
# Version: smbd --version ```
Step 2: Check Share Configuration
```bash # View shares: smbclient -L localhost -N
# Check specific share: testparm -s | grep -A 20 "[share]"
# Share configuration example: [share] path = /srv/samba/share browseable = yes read only = no guest ok = no valid users = @smbgroup create mask = 0660 directory mask = 0770
# Check path exists: ls -la /srv/samba/share
# Create share directory: mkdir -p /srv/samba/share
# Check share in config: grep -A 10 "[" /etc/samba/smb.conf
# Common issues: # 1. Path doesn't exist # 2. Wrong path in config # 3. Share name typo # 4. Missing valid users
# Reload config: systemctl reload smbd
# Verify share visible: smbclient -L localhost -U user ```
Step 3: Check User Authentication
```bash # Check Samba users: pdbedit -L
# Add Samba user: useradd -m -s /bin/bash username smbpasswd -a username
# Set password: smbpasswd username
# Check user exists in system: id username
# Check group membership: groups username
# Add to samba group: usermod -aG smbgroup username
# Test authentication: smbclient //localhost/share -U username
# Check password database: pdbedit -L -v username
# Verify user can access: smbclient //server/share -U username
# For domain users: # Check winbind: systemctl status winbind
# List domain users: wbinfo -u
# Test domain auth: wbinfo -a DOMAIN\\user%password
# Check nsswitch: grep -E "passwd|group" /etc/nsswitch.conf # Should include winbind ```
Step 4: Check File Permissions
```bash # Check share directory: ls -la /srv/samba/share/
# Check owner: stat /srv/samba/share
# Fix ownership: chown -R root:smbgroup /srv/samba/share
# Set permissions: chmod 2770 /srv/samba/share
# Setgid for group inheritance: chmod g+s /srv/samba/share
# Check create mask in config: create mask = 0660 directory mask = 0770
# Force group: force group = smbgroup
# Check ACLs: getfacl /srv/samba/share
# Set ACL: setfacl -R -m g:smbgroup:rwx /srv/samba/share
# Check for permission inheritance: getfacl /srv/samba/share/file
# Test write: sudo -u username touch /srv/samba/share/test rm /srv/samba/share/test
# Check for sticky bit: ls -la /srv/samba/share | head -1 ```
Step 5: Check SELinux Configuration
```bash # Check SELinux status: getenforce
# Check Samba SELinux booleans: getsebool -a | grep samba
# Enable Samba share access: setsebool -P samba_export_all_rw 1
# Or for read-only: setsebool -P samba_export_all_ro 1
# Allow home directory sharing: setsebool -P samba_enable_home_dirs 1
# Set SELinux context: semanage fcontext -a -t samba_share_t "/srv/samba/share(/.*)?" restorecon -Rv /srv/samba/share
# Check context: ls -laZ /srv/samba/share/
# Expected context: # unconfined_u:object_r:samba_share_t:s0
# Temporarily disable SELinux: setenforce 0
# Check audit log for denials: ausearch -m avc -ts recent | grep smbd
# Create policy from audit: grep smbd /var/log/audit/audit.log | audit2allow -M mysamba semodule -i mysamba.pp ```
Step 6: Check Firewall Configuration
```bash # Check firewall status: iptables -L -n | grep -E "139|445"
# Allow Samba: iptables -I INPUT -p tcp --dport 139 -j ACCEPT iptables -I INPUT -p tcp --dport 445 -j ACCEPT iptables -I INPUT -p udp --dport 137:138 -j ACCEPT
# Using ufw: ufw allow samba # Or: ufw allow 139/tcp ufw allow 445/tcp ufw allow 137:138/udp
# Using firewalld: firewall-cmd --add-service=samba --permanent firewall-cmd --reload
# Check firewalld: firewall-cmd --list-all | grep samba
# Test port: nc -zv server 445 nc -zv server 139
# Check from client: nmap -p 139,445 server
# Allow through iptables persistence: # Save rules: iptables-save > /etc/iptables/rules.v4 # Or: netfilter-persistent save ```
Step 7: Test from Client
```bash # Test from Linux client: smbclient -L server -U username
# Connect to share: smbclient //server/share -U username
# Mount share: mount -t cifs //server/share /mnt -o username=user
# With credentials: mount -t cifs //server/share /mnt -o username=user,password=pass
# Using credentials file: cat > /root/.smbcreds << EOF username=user password=pass domain=WORKGROUP EOF
mount -t cifs //server/share /mnt -o credentials=/root/.smbcreds
# Test from Windows: # Run: \\server\share
# Check from Windows command: net use \\server\share /user:username password
# Test connectivity: ping server telnet server 445
# Debug connection: smbclient //server/share -U username -d 4 ```
Step 8: Check Network Configuration
```bash # Check network interfaces: ip addr show
# Check if listening: ss -tlnp | grep smbd
# Check hostname resolution: hostname
# Check hosts file: cat /etc/hosts | grep $(hostname)
# Check workgroup/domain: grep workgroup /etc/samba/smb.conf
# Set workgroup: workgroup = WORKGROUP
# Check server string: server string = Samba Server
# Check NetBIOS name: netbios name = SERVER
# Check interfaces: interfaces = lo eth0
# Bind to specific interfaces: bind interfaces only = yes
# Check hosts allow: hosts allow = 127. 192.168.1.
# Check hosts deny: hosts deny = ALL
# Test connectivity: smbclient -L localhost -N smbclient -L 127.0.0.1 -N ```
Step 9: Debug Samba Issues
```bash # Increase log level in smb.conf: log level = 3 log file = /var/log/samba/log.%m
# Max debug: log level = 10
# Restart: systemctl restart smbd
# Watch logs: tail -f /var/log/samba/log.smbd
# Client-specific logs: tail -f /var/log/samba/log.client-name
# Test with debug: smbclient //server/share -U username -d 10
# Check for protocol issues: # Enable SMB2/3: max protocol = SMB3 min protocol = SMB2
# Disable SMB1 (security): server min protocol = SMB2
# Check for NTLM issues: # In config: ntlm auth = yes lanman auth = no
# Check for encryption: smb encrypt = disabled # Or for required: smb encrypt = required
# Test with specific protocol: smbclient //server/share -U username -m SMB3 ```
Step 10: Samba Verification Script
```bash # Create verification script: cat << 'EOF' > /usr/local/bin/check-samba.sh #!/bin/bash
echo "=== Samba Services ===" systemctl status smbd 2>/dev/null | head -5 || echo "smbd not running" systemctl status nmbd 2>/dev/null | head -5 || echo "nmbd not running"
echo "" echo "=== Process Check ===" ps aux | grep -E "smbd|nmbd" | grep -v grep || echo "No Samba processes"
echo "" echo "=== Ports ===" netstat -tlnp 2>/dev/null | grep -E "139|445" || ss -tlnp | grep -E "139|445" || echo "Samba ports not listening"
echo "" echo "=== Configuration Test ===" testparm -s 2>&1 | head -20
echo "" echo "=== Shares ===" smbclient -L localhost -N 2>/dev/null || echo "Cannot list shares"
echo "" echo "=== Samba Users ===" pdbedit -L 2>/dev/null || echo "No Samba users or pdbedit error"
echo "" echo "=== Share Directories ===" grep "path =" /etc/samba/smb.conf | while read line; do path=$(echo $line | awk '{print $3}') echo "$path:" ls -la $path 2>&1 | head -5 done
echo "" echo "=== SELinux ===" getenforce 2>/dev/null || echo "SELinux not installed" getsebool -a 2>/dev/null | grep samba | grep on || true
echo "" echo "=== Firewall ===" iptables -L -n 2>/dev/null | grep -E "139|445" || echo "No iptables rules for Samba" ufw status 2>/dev/null | grep -E "139|445|samba" || true
echo "" echo "=== Recent Logs ===" tail /var/log/samba/log.smbd 2>/dev/null | tail -10 || journalctl -u smbd --no-pager -n 10 2>/dev/null || echo "No logs"
echo "" echo "=== Recommendations ===" echo "1. Ensure smbd and nmbd services running" echo "2. Check share path exists and has correct permissions" echo "3. Verify user exists in Samba password database" echo "4. Allow ports 139, 445, 137-138 in firewall" echo "5. Configure SELinux context for share directory" echo "6. Check smb.conf syntax with testparm" echo "7. Test authentication with smbclient" EOF
chmod +x /usr/local/bin/check-samba.sh
# Usage: /usr/local/bin/check-samba.sh ```
Samba Share Accessibility Checklist
| Check | Expected |
|---|---|
| Services running | smbd and nmbd active |
| Port listening | 139 and 445 open |
| Share configured | Path exists in smb.conf |
| User exists | pdbedit shows user |
| Permissions | User can read/write share |
| SELinux | samba_share_t context |
| Firewall | Ports 139, 445 allowed |
Verify the Fix
```bash # After fixing Samba share
# 1. Check services systemctl status smbd nmbd // Both active running
# 2. List shares smbclient -L localhost -N // Shares visible
# 3. Test authentication smbclient //localhost/share -U username // Connection successful
# 4. Test file access smb: \> ls // Files listed
# 5. Test write smb: \> put testfile // File uploaded
# 6. Check from client mount -t cifs //server/share /mnt // Share mounted ```
Related Issues
- [Fix NFS Mount Failed](/articles/fix-nfs-mount-still-pointing-to-old-file-server-after-migration)
- [Fix GlusterFS Volume Not Mounting](/articles/fix-glusterfs-volume-not-mounting)
- [Fix Active Directory Login Failed](/articles/fix-active-directory-login-failed)