Simple Samba Setup
Simple Samba (SMB) Setup with the main focus being of of having a file share method for www developers on windows machines.
Install Samba on Debian or Ubuntu
apt-get install samba samba-common
Note: If firewalls or port filters are in use then please make sure that Tcp 445 is allowed to talk to the Samba Server
Configure Samba with a local user for www-data
Configure Samba with a local user to authenticate and enforce the user www-data to be used on the share level
- Add a new group
addgroup sambagrp
- Create a user (demo01), no home directory and no local login, just to authenticate with Samba, add the user to the new group
useradd demo01 -M -G sambagrp -s /usr/sbin/nologin
- Add a the new user (-a) to the Samba authentication and create a new password
smbpasswd -a demo01
- Create or edit /etc/samba/smb.conf
[global] workgroup = WORKGROUP server string = %h server (Linux) interfaces = eth0 bind interfaces only = yes log file = /var/log/samba/log.%m panic action = /usr/share/samba/panic-action %d server role = standalone server obey pam restrictions = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = Yes map to guest = Bad User #log level = 4 #To be used for debugging purposes [www] comment = www path = /var/www valid users = @sambagrp browsable = yes writable = yes read only = no force user = www-data
- Restart Samba
systemctl restart smbd
Ready to use the demo01 user to connect to the Samba Server
Configure Samba with a foreign user for www-data
Configure a new user which gets authenticated with other methods such as 'sssd (ldap authentication)' like with ActiveDirectory
- Add a new group, this time we use a ldap group
addgroup ldapgrp
- Add the Ldap user to the new group
usermod -a -G ldapgrp <ldap user>
- Add a the new user (-a) to the Samba authentication and create a new password. This can become interesting because if the same password is used for ldap then the result will be some kind of a improved single sign on, ldap or active directory users will not get prompted for a password this way
smbpasswd -a <ldap user>
- Create or edit /etc/samba/smb.conf, note that obey pam restrictions is not used anymore in this sample
[global] workgroup = WORKGROUP server string = %h server (Linux) interfaces = eth0 bind interfaces only = yes log file = /var/log/samba/log.%m panic action = /usr/share/samba/panic-action %d server role = standalone server#obey pam restrictions = Yespasswd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = Yes map to guest = Bad User #log level = 4 #To be used for debugging purposes [www] comment = www path = /var/www valid users = @ldapgrp browsable = yes writable = yes read only = no force user = www-data
Maintenance Commands
Delete Windows Connection
This must be used whenever credentials or other share parameter has been changed==
- Show connections
net use
- Delete default connection
net use \\<Name or IP> /delete
- Or delete a shared specific connection
net use \\<Name or IP>\sharename /delete
Samba Account
- Create a new samba account with password
smbpasswd -a username
- Change a samba account password
smbpasswd username
- Delete a samba account
smbpasswd -x username
Groups
- Create
addgroup groupname
- Delete
deluser username groupname
- Change users primary group
usermod -g groupname username
- Add user to group
usermod -a -G groupname username
Local User
- Add with no home, no login
useradd username -M -G groupname -s /usr/sbin/nologin
- Show user ID, primary group and group membership
id <username>
Samba
- Stop/Start/Restart/Status
systemctl stop smbd systemctl start smbd systemctl restart smbd systemctl status smbd
- Test configuration
testparm
- Status
smbstatus