Running Samba in a FreeBSD jail
Describes how to install Samba from binary packages, in a FreeBSD jail. Tested on FreeBSD
10.2-RELEASE. As usual, YMMV; let’s go:
Create a FreeBSD jail. I use ezjail, but the specific way of creating the jail is of no importance. To create a FreeBSD jail named
samba, with IP address of
192.168.0.231, bound to network interface
igb0, with the help of ezjail, do
root@host: ~# ezjail-admin create samba 'igb0|192.168.0.231'
sambawith desired jail/server name and
192.168.0.231with the IP address to be assigned to the jail.
Start the jail and enter inside, do
root@host: ~# ezjail-admin start samba root@host: ~# ezjail-admin console samba root@samba: ~#
Optional: select the correct time-zone, do
root@samba: ~# tzsetup
and follow instructions.
Install FreeBSD binary package manager:
root@samba: ~# pkg bootstrap
agree and wait for task to complete.
Install Samba binary package:
root@samba: ~# pkg install samba43
once again agree and wait for task to complete (Samba sports quite a list of dependencies).
Create initial Samba configuration file (important parts related to “jailing” Samba are explained below). For Samba 4.x the name of configuration file would be
[global] interfaces = 192.168.0.231 bind interfaces only = yes remote announce = 192.168.0.255 map to guest = bad user [test] path = /mnt read only = yes guest ok = yes
The important parts:
interfacesline declares IP address visible to the clients: jail’s public IP address (
192.168.0.231in this example, something else in your case),
bind interfaces only = yestells Samba to bind only to addresses listed in
remote announce = 192.168.0.255tells Samba to advertise itself on the given broadcast address, since, by default, jails use
/32mask and the broadcast address equals to the jail’s IP address. Put the correct broadcast address here, depending on the subnet in use!
- the rest of the options allow
guestaccess and declare a single share, named
Enable and start Samba services:
root@samba: ~# sysrc samba_server_enable=YES samba_server_enable: -> YES root@samba: ~# service samba_server start Performing sanity check on Samba configuration: OK Starting nmbd. Starting smbd. root@samba: ~#
Verify if Samba is running:
root@samba: ~# service samba_server status nmbd is running as pid 93309. smbd is running as pid 93315. root@samba: ~#
If either service is not running check
log.smbdfor errors (both in
/var/log/samba/). Verify if jail’s IP address is correctly specified at
At this moment, if the services are running, it should be possible to access Samba by its IP address (like
\\192.168.0.231from Windows or
smb://192.168.0.231from Mac OS), but not by its name. I believe the reason is, that
nmbd, when running in a jail, is unable to receive broadcasts, because those packets do not target jail’s IP address. With other words, when clients ask “who is
sambais the Samba server name, by default same as hostname or jail name)
nmbdwouldn’t be able to hear that question and won’t answer.
Let’s fix that:
Let’s add a firewall rule to forward broadcast traffic to the jail’s
pffirewall the rules to be added to
rdr inet proto udp to 192.168.0.255 port netbios-dgm -> 192.168.0.231 port netbios-dgm rdr inet proto udp to 192.168.0.255 port netbios-ns -> 192.168.0.231 port netbios-ns
192.168.0.231should be replaced with jail’s IP address and
192.168.0.255should be replaced with the correct broadcast address for subnet in use.
Same should be possible using
ipfw, but I have no experience with it.
That’s it! At least in my case. YMMV.