Simple Samba Setup: Difference between revisions

From Coolscript
Jump to navigation Jump to search
No edit summary
 
(47 intermediate revisions by the same user not shown)
Line 1: Line 1:
Simple Samba (SMB) Setup with the focus of having a file share method for www developers on windos machines.
Simple Samba (SMB) Setup with the main focus being of of having a file share method for www developers on windows machines.




Install Samba on Debian or Ubuntu
=Install Samba on Debian or Ubuntu=
  apt-get install samba samba-common system-config-samba
  apt-get install samba samba-common  


<span style="color:red;">'''Note:'''</span> If firewalls or port filters are in use then please make sure that <span style="color:red;">'''Tcp 445'''</span> is allowed to talk to the Samba Server


Configure Samba with a local user to authenticate the client but using a local user (www-data) to enforce file modification on the local machine made by www-data
=Configure Samba with a local user for www-data=
Configure Samba with a local user to authenticate and enforce the user www-data to be used on the share level
*Add a new group
addgroup sambagrp


*Create a user (demo01), no home directory and no local login, just to authenticate with Samba, add the user to the new group
useradd demo01 -M -G sambagrp -s /usr/sbin/nologin
*Add a the new user (-a) to the Samba authentication and create a new password
smbpasswd -a demo01
*Create or edit /etc/samba/smb.conf
  [global]
  [global]
     workgroup = WORKGROUP
     workgroup = WORKGROUP
Line 21: Line 33:
     pam password change = Yes
     pam password change = Yes
     map to guest = Bad User
     map to guest = Bad User
     log level = 4
     #log level = 4 #To be used for debugging purposes
[www]
    comment = www
    path = /var/www
    valid users = @sambagrp
    browsable = yes
    writable = yes
    read only = no
    force user = www-data
 
 
*Restart Samba
systemctl restart smbd
 
Ready to use the demo01 user to connect to the Samba Server
 
=Configure Samba with a foreign user for www-data=
<br>Configure a new user which gets authenticated with other methods such as 'sssd (ldap authentication)' like with '''ActiveDirectory'''<br><br>
*Add a new group, this time we use a ldap group
addgroup ldapgrp
 
*Add the Ldap user to the new group
usermod -a -G ldapgrp  <ldap user>
 
*Add a the new user (-a) to the Samba authentication and create a new password. This can become interesting because if the same password is used for ldap then the result will be some kind of a improved single sign on, ldap or active directory users will not get prompted for a password this way
smbpasswd -a <ldap user>
 
*Create or edit /etc/samba/smb.conf, note that '''obey pam restrictions''' is not used anymore in this sample
[global]
    workgroup = WORKGROUP
    server string = %h server (Linux)
    interfaces = eth0
    bind interfaces only = yes
    log file = /var/log/samba/log.%m
    panic action = /usr/share/samba/panic-action %d
    server role = standalone server
    '''<s>#obey pam restrictions = Yes</s>'''
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = Yes
    map to guest = Bad User
    #log level = 4 #To be used for debugging purposes
   
   
  [www]
  [www]
     comment = www
     comment = www
     path = /var/www
     path = /var/www
     #valid users = @smbgrp
     valid users = @ldapgrp
    write list = @smbgrp
    #valid users = shares
    #admin users = shares
     browsable = yes
     browsable = yes
     writable = yes
     writable = yes
     read only = no
     read only = no
     create mask = 0777
     force user = www-data
    #force user = www-data
 
 
=Configure Samba with a local user for general purpose=
Configure Samba with a local user to authenticate both, to the Linux console and Samba
*Add group
addgroup demogrp
*Add user with password
adduser demo2
*Add the user to the Samba TDB
smbpasswd demo02
*Change the primary group
usermod -g demogrp demo02
*Create a test directory for the samba share
mkdir /data
*Assign user and group to the new directory
chown root /data
chgrp demogrp /data
chmod 770 /data
 
*/etc/samba/smb.conf
[global]
  workgroup = WORKGROUP
  server string = %h server (Linux)
  interfaces = eth0
  bind interfaces only = yes
  log file = /var/log/samba/log.%m
  panic action = /usr/share/samba/panic-action %d
  server role = standalone server
  obey pam restrictions = Yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
  pam password change = Yes
  map to guest = Bad User
  #log level = 4 #To be used for debugging purposes
[data]
  comment = data
  path = /data
  valid users = @demogrp
  browsable = yes
  writable = yes
  read only = no
  create mask = 0660
 
=Maintenance Commands=
==Delete Windows Connection==
This must be used whenever credentials or other share parameter has been changed==
*Show connections
net use
*Delete default connection
net use \\<Name or IP> /delete
*Or delete a shared specific connection
net use \\<Name or IP>\sharename /delete
==Samba Account==
*Create a new samba account with password
smbpasswd -a username
*Change a samba account password
smbpasswd username
*Delete a samba account
smbpasswd -x username
 
==Groups==
*Create group
addgroup groupname
*Delete group
delgroup groupname
*Change users primary group
usermod -g groupname username
*Add user to group
usermod -a -G groupname username
*Delete user from group
deluser username groupname
*List users in group
getent group demogrp
 
==Local User==
*Add with no home, no login
useradd username -M -G groupname -s /usr/sbin/nologin
 
*Show user ID, primary group and group membership
id <username>
 
==Samba==
*Stop/Start/Restart/Status
systemctl stop smbd
systemctl start smbd
systemctl restart smbd
systemctl status smbd
 
*Test configuration
testparm
*Status
smbstatus
 
 
=Links=
*https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

Latest revision as of 12:35, 17 March 2021

Simple Samba (SMB) Setup with the main focus being of of having a file share method for www developers on windows machines.


Install Samba on Debian or Ubuntu

apt-get install samba samba-common 

Note: If firewalls or port filters are in use then please make sure that Tcp 445 is allowed to talk to the Samba Server

Configure Samba with a local user for www-data

Configure Samba with a local user to authenticate and enforce the user www-data to be used on the share level

  • Add a new group
addgroup sambagrp
  • Create a user (demo01), no home directory and no local login, just to authenticate with Samba, add the user to the new group
useradd demo01 -M -G sambagrp -s /usr/sbin/nologin 
  • Add a the new user (-a) to the Samba authentication and create a new password
smbpasswd -a demo01


  • Create or edit /etc/samba/smb.conf
[global]
   workgroup = WORKGROUP
   server string = %h server (Linux)
   interfaces = eth0
   bind interfaces only = yes
   log file = /var/log/samba/log.%m
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = Yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = Yes
   map to guest = Bad User
   #log level = 4 #To be used for debugging purposes

[www]
   comment = www
   path = /var/www
   valid users = @sambagrp
   browsable = yes
   writable = yes
   read only = no
   force user = www-data


  • Restart Samba
systemctl restart smbd

Ready to use the demo01 user to connect to the Samba Server

Configure Samba with a foreign user for www-data


Configure a new user which gets authenticated with other methods such as 'sssd (ldap authentication)' like with ActiveDirectory

  • Add a new group, this time we use a ldap group
addgroup ldapgrp
  • Add the Ldap user to the new group
usermod -a -G ldapgrp  <ldap user>
  • Add a the new user (-a) to the Samba authentication and create a new password. This can become interesting because if the same password is used for ldap then the result will be some kind of a improved single sign on, ldap or active directory users will not get prompted for a password this way
smbpasswd -a <ldap user>
  • Create or edit /etc/samba/smb.conf, note that obey pam restrictions is not used anymore in this sample
[global]
   workgroup = WORKGROUP
   server string = %h server (Linux)
   interfaces = eth0
   bind interfaces only = yes
   log file = /var/log/samba/log.%m
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   #obey pam restrictions = Yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = Yes
   map to guest = Bad User
   #log level = 4 #To be used for debugging purposes

[www]
   comment = www
   path = /var/www
   valid users = @ldapgrp
   browsable = yes
   writable = yes
   read only = no
   force user = www-data


Configure Samba with a local user for general purpose

Configure Samba with a local user to authenticate both, to the Linux console and Samba

  • Add group
addgroup demogrp
  • Add user with password
adduser demo2
  • Add the user to the Samba TDB
smbpasswd demo02
  • Change the primary group
usermod -g demogrp demo02
  • Create a test directory for the samba share
mkdir /data
  • Assign user and group to the new directory
chown root /data
chgrp demogrp /data
chmod 770 /data
  • /etc/samba/smb.conf
[global]
  workgroup = WORKGROUP
  server string = %h server (Linux)
  interfaces = eth0
  bind interfaces only = yes
  log file = /var/log/samba/log.%m
  panic action = /usr/share/samba/panic-action %d
  server role = standalone server
  obey pam restrictions = Yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
  pam password change = Yes
  map to guest = Bad User
  #log level = 4 #To be used for debugging purposes

[data]
  comment = data
  path = /data
  valid users = @demogrp
  browsable = yes
  writable = yes
  read only = no
  create mask = 0660

Maintenance Commands

Delete Windows Connection

This must be used whenever credentials or other share parameter has been changed==

  • Show connections
net use
  • Delete default connection
net use \\<Name or IP> /delete
  • Or delete a shared specific connection
net use \\<Name or IP>\sharename /delete

Samba Account

  • Create a new samba account with password
smbpasswd -a username
  • Change a samba account password
smbpasswd username
  • Delete a samba account
smbpasswd -x username

Groups

  • Create group
addgroup groupname
  • Delete group
delgroup groupname
  • Change users primary group
usermod -g groupname username
  • Add user to group
usermod -a -G groupname username
  • Delete user from group
deluser username groupname
  • List users in group
getent group demogrp

Local User

  • Add with no home, no login
useradd username -M -G groupname -s /usr/sbin/nologin
  • Show user ID, primary group and group membership
id <username>

Samba

  • Stop/Start/Restart/Status
systemctl stop smbd
systemctl start smbd
systemctl restart smbd
systemctl status smbd
  • Test configuration
testparm
  • Status
smbstatus


Links