Samba server on pfSense 2.0.2



  • I will most likely get flamed, die in a fire and burn in hell for eternity for sharing this but….here goes...

    go to ssh shell and type:

    setenv PACKAGESITE "ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/Latest/"

    pkg_add -r samba36

    then create the folder

    /home/public

    and set priv. to 777

    create the file

    /usr/local/etc/smb.conf

    [global]
    netbios name = Server
    server string = pfSense
    workgroup = WORKGROUP
    os level = 39
    security = share
    preferred master = yes
    usershare allow guests = yes
    guest account = root
    
    socket options = TCP_NODELAY
    
    [Public]
    	comment = Huh?
    	writeable = yes
    	public = yes
    	path = /home/public
    	browseable = yes
    	guest ok = yes
    

    create the file    /etc/rc.conf.local

    samba_enable="YES"
    nmbd_enable="YES"
    smbd_enable="YES"
    winbindd_enable="YES"
    
    

    then start your server

    /usr/local/etc/rc.d/samba start

    if it doesnt work then…god hate you...



  • I don't know why this would be a big deal/flame bait.  All you need to do is add

    interfaces = e1000g0

    to your smb.conf where e1000g0 is your internal LAN interface and it should only be available from your LAN (and only create firewall rules for the LAN interface as well).

    I know that this is a bad practice in general to put your data on your firewall which is why I won't do it.  However it does depend on the data.  If you are putting data on there that you don't need secure like music files, etc… then who cares.



  • @evil_chewbaka:

    I will most likely get flamed, die in a fire and burn in hell for eternity for sharing this but….here goes...

    Samba on pfSense is like a flashlight on a toaster - it is strange and dangerous but sometimes handy  ;D


  • Rebel Alliance Developer Netgate

    @wheelz:

    I don't know why this would be a big deal/flame bait.  All you need to do is add

    interfaces = e1000g0

    to your smb.conf where e1000g0 is your internal LAN interface and it should only be available from your LAN (and only create firewall rules for the LAN interface as well).

    I know that this is a bad practice in general to put your data on your firewall which is why I won't do it.  However it does depend on the data.  If you are putting data on there that you don't need secure like music files, etc… then who cares.

    It's not about securing the data, it's about securing the firewall. The odds of someone exploiting the firewall to get to your data are very, very low.

    The odds of someone exploiting samba to compromise your firewall are much, much higher.

    That said, I wouldn't do it, but I can see why someone would. I've done it before (years ago, before I ran pfSense), but I wouldn't do it now.

    Also we tend to think of pfSense in its main role as a firewall, but it can also be an appliance platform. If someone really wanted to, they could setup pfSense standing alone with one interface on their LAN and have it work as just a file server. Not sure why someone would want to do that when FreeNAS exists, but that has never stopped anyone before. :-)  In that type of environment, it can make sense. It's just not very common.



  • I am getting this error. help :'(

    Starting nmbd.
    /libexec/ld-elf.so.1: /usr/local/lib/libtalloc.so.2: unsupported file layout
    /usr/local/etc/rc.d/samba: WARNING: failed to start nmbd
    Starting smbd.
    /libexec/ld-elf.so.1: /usr/local/lib/libtalloc.so.2: unsupported file layout
    /usr/local/etc/rc.d/samba: WARNING: failed to start smbd
    Starting winbindd.
    /libexec/ld-elf.so.1: /usr/local/lib/libtalloc.so.2: unsupported file layout
    /usr/local/etc/rc.d/samba: WARNING: failed to start winbindd



  • Solved it! It seems that the dependencies are for 32bit. Here's what I did for my 64bit pfSense 2.0.2 box:

    Delete the packages samba, talloc and python.

    pkg_delete -v samba <version>pkg_delete -v talloc <version>pkg_delete -v python <version>*you can see the installed version of these packages in your system by using the command pkg_info.</version></version></version>

    set the packagesite variable to use the 64bit instead of 32bit repository.

    setenv PACKAGESITE "ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/"

    *take note of the amd64 after the ports.

    install samba again.

    pkg_add -r -v samba36

    *this will also install it's dependencies, talloc and python libraries.

    configure the smb.conf then start the smb service.

    /usr/local/etc/rc.d/samba start
    

    that's it!!





  • Hi guys got a problem when trying to run samba, please see below. Please help what could be the problem.

    [2.0.3-RELEASE][admin@mydomain.local]/home/public(26): /usr/local/etc/rc.d/samba start
    Starting nmbd.
    /libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8"
    /usr/local/etc/rc.d/samba: WARNING: failed to start nmbd
    Starting smbd.
    /libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8"
    /usr/local/etc/rc.d/samba: WARNING: failed to start smbd
    Starting winbindd.
    /libexec/ld-elf.so.1: Shared object "libsasl2.so.2" not found, required by "libldap-2.4.so.8"
    /usr/local/etc/rc.d/samba: WARNING: failed to start winbindd



  • well the quide is quite good it works just as i wanted with some optimizations.

    the problem is that after every restart of pfsense samba is not starting as it should.
    after a restart giving "service samba status"
    i get```
    nmbd is not running.
    smbd is not running.
    winbindd is not running.

    
    if i try this "service winbindd start"
    

    winbindd does not exist in /etc/rc.d or the local startup
    directories (/usr/local/etc/rc.d)

    
    this is my: /etc/rc.conf.local
    

    samba_enable="YES"
    nmbd_enable="YES"
    smbd_enable="YES"
    winbindd_enable="YES"

    
    if i reinstall everything , it works!!!, until the next restart :(
    any ideas ?


  • For me its working with this modification and after reboot samba is working as expected.

    cp /usr/local/etc/rc.d/samba /usr/local/etc/rc.d/samba.sh

    Forgot to mention u can start/stop samba without making the modification with:

    /usr/local/etc/rc.d/samba onestart
    /usr/local/etc/rc.d/samba onestop

    With those commands maybe u can make an cron job to allow users to share with samba at any time u want  :D

    Best regards

    P.S. Sorry for my english, is not my native language



  • Registered just to reply to this thread (and probably others in the future).

    The problem I got with this Samba package is that it's trying to put the PID files into a folder in /var/run that doesn't exist (apparently /var/run is cleaned on reboot) and it doesn't have the foresight to create said folder again. The fix is simple, create that folder automatically during boot before Samba starts.  edit: or you can just edit the startup script so that the PID files are created in a valid location.

    The easiest way I found to do it is to edit the xml config file (/cf/conf/config.xml) and add "<shellcmd>mkdir /var/run/samba</shellcmd>" at the end of the system section so it becomes something like this :


    <dnsallowoverride><shellcmd>mkdir /var/run/samba</shellcmd>

    <interfaces>...</interfaces></dnsallowoverride>

    You might also need to copy the samba run script to samba.sh as suggested by ghostdust for Samba to start automatically.

    cp /usr/local/etc/rc.d/samba /usr/local/etc/rc.d/samba.sh

    After this everything should work fine, at least it did so on my test machine.



  • @Haxdal:

    • <shellcmd>mkdir /var/run/samba</shellcmd>

    • cp /usr/local/etc/rc.d/samba /usr/local/etc/rc.d/samba.sh

    After this everything should work fine, at least it did so on my test machine.

    Just tested this , and i can confirm that it is working like a charm even after a restart.
    I want to thank both Haxdal & ghostdust.



  • I know this is pretty old post,

    but would love to have a samba or ftp package on my pfbox,

    my current hardware is simply overkill for a firewall.



  • @hongkonger:

    I know this is pretty old post,

    but would love to have a samba or ftp package on my pfbox,

    my current hardware is simply overkill for a firewall.

    Well the guide is pretty straight forward about samba server.
    Read the guide and the troubleshooting below.
    Here to help with ;)



  • Instructions for pfsense 2.2.2-RELEASE (FreeBSD 10.1) with regards to the original steps

    run these commands:
    pkg
    pkg install net/samba42

    Note 1: samba4.3 released on september 8th, you may be able to install this in future with pkg install net/samba43
    Note 2: this has a bunch of dependencies which pkg will need to add automatically, potential security issues

    Create /etc/rc.conf with this (rc.conf.local no longer required):
    samba_server_enable="YES"

    Primary conf file name changed:
    cat /usr/local/etc/smb4.conf
    [global]
    server string = pfSense
    interfaces = em0, lo
    bind interfaces only = Yes
    guest account = root
    os level = 39
    preferred master = Yes
    usershare allow guests = Yes
    idmap config * : backend = tdb

    [Public]
    comment = Huh?
    path = /home/
    read only = No
    guest ok = Yes

    Note 3: keep an eye on the interface only section, replace yours their and change the path as needed.

    Providing god doesn't hate you:

    /usr/local/etc/rc.d/samba_server start
    Performing sanity check on Samba configuration: OK
    Starting nmbd.
    Starting smbd.

    Note 4: Conf file help: (on a linux system) run testparm <your conf="" file="">. This outputted a better formatted conf file that worked on freebsd.

    Also make sure you bind your interfaces right, you probably don't want this on the internet (maybe you do?)

    netstat -na | grep 445
    tcp4      0      0 192.168.1.1.445        .                    LISTEN
    netstat -na | grep 137
    udp4      0      0 192.168.1.255.137      .                   
    udp4      0      0 192.168.1.1.137        .                   
    udp4      0      0 *.137                  .

    General help:
    http://wiki.samba.org/index.php/Samba4/HOWTO

    Here's a FreeBSD gpart cheat sheet for those who are lazy and normally use gparted on linux like me:
    https://forums.freebsd.org/threads/gpart-cheatsheet-wiping-drives-partitioning-formating.45411/
    mount /dev/da0p1 backup/

    Hope this helps others, feel free to comment if things i've placed here should be done differently.</your>



  • Hope this helps others,

    Only to get open or damage their firewall. SAMBA on WAN connected devices are a huge security risk
    and that not only based on BSD or Linux. Even!

    feel free to comment if things i've placed here should be done differently.

    A SAMBA server has nothing to search on a firewall, router, gateway or any other device
    connected to the WAN interface directly.



  • @BlueKobold:

    Hope this helps others,

    Only to get open or damage their firewall. SAMBA on WAN connected devices are a huge security risk
    and that not only based on BSD or Linux. Even!

    feel free to comment if things i've placed here should be done differently.

    A SAMBA server has nothing to search on a firewall, router, gateway or any other device
    connected to the WAN interface directly.

    I think these points, as valid as they are, are covered extensively in this and especially other places on the pfsense forum. the only place where someone likely would risk this is a home environment where the security risks from hacked cell phones or infected windows PCs probably outweighs smbd on pfsense by a couple orders of magnitude.

    for me, I have a USB external HDD that needs to be connected to a PC or other device, and that device needs to stay on 24x7 for constant remote file access. I try to limit the kilowatt hours of electricity usage as much as possible so that is my main motivation instead of connecting it to a PC and leaving that on (pfsense runs on an old laptop at my home). buying a external HDD enclosure that has ethernet and it's own smbd running is not free either so this is a good free alternative with the implied security risk, to an environment which contains a limited amount of sensitive information.


  • Rebel Alliance Global Moderator

    I love it how people justify garbage setups because of minuscule costs..

    So you could pickup a pogo plug (tiny computer) for under $20 uses like zero power.  You could pickup a pi again for under $35 for sure.. You could get the latest and greatest pi 2 b+ kit with SD card, etc.. for $55 uses like nothing for power..

    pogo you can run arch linux on, has usb 2, usb 3 and even 1 USM/SATA Slot
    http://www.amazon.com/Pogoplug-Series-4-Backup-Device/dp/B006I5MKZY

    So your setting up something that clearly is unsupported because its a power saving issue, or cost of running a new piece of hardware?  That you can get for pennies?  Clearly you paying for internet, have a laptop, and most likley multiple pcs?  Since you mention old PC buty don't want to leave it on because of power.

    But you can not afford $20 to have a new toy to play with!!!  And also provide your samba sharing server…