Difference between revisions of "Samba server"
(Samba server installation and configuration) |
|||
(13 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | [[Category:Linux]] | |
− | + | ||
+ | (i) you can access configuration examples on my GitHub: https://github.com/guihome-diaz/IT/tree/master/install_scripts/assets/samba | ||
+ | |||
+ | =Installation= | ||
+ | |||
+ | ==Core packages== | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
apt-get install samba samba-common libkrb5-3 winbind smbclient | apt-get install samba samba-common libkrb5-3 winbind smbclient | ||
− | |||
apt-get install cifs-utils | apt-get install cifs-utils | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 11: | Line 15: | ||
The CIFS protocol is also required as this is one of the default Windows Server share protocol. | The CIFS protocol is also required as this is one of the default Windows Server share protocol. | ||
− | + | ||
+ | ==Printer share== | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
apt-get install libcups2 cups cups-pdf | apt-get install libcups2 cups cups-pdf | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
− | ====Edit configuration | + | |
+ | =User Interface= | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | apt-get install system-config-samba | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | =Usage= | ||
+ | |||
+ | ==Edit configuration== | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
vim /etc/samba/smb.conf | vim /etc/samba/smb.conf | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | + | ||
+ | ==Service management== | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
/etc/init.d/samba restart | /etc/init.d/samba restart | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | + | ||
+ | ==Configuration check== | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
testparm -s | testparm -s | ||
Line 34: | Line 51: | ||
The file content should appears, without any alerts. | The file content should appears, without any alerts. | ||
− | + | ||
+ | =Basic share (no authentication)= | ||
The following configuration will make all shares available for a specific set of IP @ |or| the whole world. | The following configuration will make all shares available for a specific set of IP @ |or| the whole world. | ||
Line 41: | Line 59: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | + | ||
− | + | ==Global configuration (guest allowed)== | |
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
Line 48: | Line 66: | ||
[global] | [global] | ||
### Browsing/Identification ### | ### Browsing/Identification ### | ||
− | workgroup = | + | workgroup = MYWORKGROUP |
# server name. Windows = netbios ; all the world = server string | # server name. Windows = netbios ; all the world = server string | ||
− | netbios name = | + | netbios name = MY_SERVER |
− | server string = | + | server string = MY_SERVER |
dns proxy = no | dns proxy = no | ||
wins support = no | wins support = no | ||
Line 71: | Line 89: | ||
# If guests are not allowed, they should be tagged as 'bad user' | # If guests are not allowed, they should be tagged as 'bad user' | ||
− | map to guest = | + | map to guest = vadmin |
# If guests are allowed, they should use the following account | # If guests are allowed, they should use the following account | ||
− | guest account = | + | # else put 'nobody' |
+ | guest account = myuser | ||
# Allow users who've been granted usershare privileges to create public shares | # Allow users who've been granted usershare privileges to create public shares | ||
− | usershare allow guests = | + | usershare allow guests = yes |
#### Networking #### | #### Networking #### | ||
Line 83: | Line 102: | ||
# comment it out to make your server “open-bar” ! | # comment it out to make your server “open-bar” ! | ||
# Each IP or IP_range/submask must be separated by a space | # Each IP or IP_range/submask must be separated by a space | ||
− | allow hosts = | + | allow hosts = 192.168.1.0/24 127.0.0.1 |
#### Debugging/Accounting #### | #### Debugging/Accounting #### | ||
Line 92: | Line 111: | ||
# Log level in dedicated Samba log file | # Log level in dedicated Samba log file | ||
log level = 3 | log level = 3 | ||
− | |||
− | |||
# Do something sensible when Samba crashes: mail the admin a backtrace | # Do something sensible when Samba crashes: mail the admin a backtrace | ||
panic action = /usr/share/samba/panic-action %d | panic action = /usr/share/samba/panic-action %d | ||
Line 103: | Line 120: | ||
preserve case = yes | preserve case = yes | ||
short preserve case = no | short preserve case = no | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ==Share definition (public)== | ||
+ | |||
+ | This will set a new share, with full rights. | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
#======================= Share Definitions ======================= | #======================= Share Definitions ======================= | ||
[webserver] | [webserver] | ||
Line 120: | Line 144: | ||
guest ok = yes | guest ok = yes | ||
public = yes | public = yes | ||
+ | # Treat all users as guest? | ||
+ | only guest = yes | ||
# Files permissions | # Files permissions | ||
## new file / directories permissions | ## new file / directories permissions | ||
− | create mask = | + | ## Use "2" to inherit permissions of the top directory |
− | directory mask = | + | create mask = 2777 |
+ | directory mask = 2777 | ||
+ | |||
+ | # Do NOT follow symlinks for security reasons | ||
+ | follow symlinks = no | ||
+ | |||
+ | # Allow user to remove read-only files | ||
+ | delete readonly = no | ||
+ | |||
+ | # Every new file must be part of a specific group "users" to avoid conflicts | ||
+ | force user = www-data | ||
+ | force group = www-data | ||
+ | |||
+ | # Do not be case sensitive to avoid Windows <> Linux conflicts | ||
+ | case sensitive = no | ||
+ | |||
+ | # hide Linux hidden files | ||
+ | hide dot files = yes | ||
+ | |||
+ | # specifics files / folder to hide | ||
+ | #veto files = /.* | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | You have to duplicate the [webserver] section for each share. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | =Restricted share= | ||
+ | |||
+ | This is just an effective summary of https://wiki.samba.org/index.php/Standalone_server | ||
+ | |||
+ | |||
+ | ==Create samba users== | ||
+ | |||
+ | First of all you must create Linux users + grant them the samba access. | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | ## Create a new system user 'smbUser' and add it to the list of SAMBA users | ||
+ | |||
+ | # 1. New system user | ||
+ | useradd -c "Samba user" -s /sbin/nologin -m smbUser | ||
+ | passwd smbUser | ||
+ | # 2. Add system user to 'users' | ||
+ | useradd -G users smbUser | ||
+ | # 3. Add account to SAMBA | ||
+ | smbpasswd -a smbUser | ||
+ | # 4. Grant SAMBA access to account | ||
+ | smbpasswd -e smbUser | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | ==Share rights== | ||
+ | |||
+ | Before setting up the configuration, ensure all your share have the 711 root permissions. | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | ## if you plan to share "/mnt/shareDrive/" content | ||
+ | chmod 711 /mnt/shareDrive | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | ==Global configuration (guest forbidden)== | ||
+ | |||
+ | The configuration is almost the same. Adjust the following parameters: | ||
+ | * <code>map to guest = bad user</code> | ||
+ | * <code>guest account = nobody</code> | ||
+ | * <code>usershare allow guests = yes</code> | ||
− | |||
− | |||
− | |||
− | ## Do | + | <syntaxhighlight lang="bash"> |
− | + | #======================= Global Settings ======================= | |
− | + | [global] | |
+ | ### Browsing/Identification ### | ||
+ | workgroup = MYWORKGROUP | ||
+ | # server name. Windows = netbios ; all the world = server string | ||
+ | netbios name = MY_SERVER | ||
+ | server string = MY_SERVER | ||
+ | dns proxy = no | ||
+ | wins support = no | ||
+ | |||
+ | ### Security ### | ||
+ | # Password level | ||
+ | encrypt passwords = true | ||
+ | # Sync password with current computer | ||
+ | passdb backend = tdbsam | ||
+ | obey pam restrictions = yes | ||
+ | unix password sync = yes | ||
+ | # For Unix password sync to work on a Debian GNU/Linux system | ||
+ | passwd program = /usr/bin/passwd %u | ||
+ | passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . | ||
+ | # allow samba user to change his password | ||
+ | pam password change = yes | ||
+ | # Paranoid check. To forbidden some logins | ||
+ | #invalid users = vadmin | ||
+ | |||
+ | # If guests are not allowed, they should be tagged as 'bad user' | ||
+ | map to guest = bad user | ||
+ | |||
+ | # If guests are allowed, they should use the following account | ||
+ | # else put 'nobody' | ||
+ | guest account = nobody | ||
+ | |||
+ | # Allow users who've been granted usershare privileges to create public shares | ||
+ | usershare allow guests = no | ||
+ | |||
+ | #### Networking #### | ||
+ | # allow local network and localhost only | ||
+ | # comment it out to make your server “open-bar” ! | ||
+ | # Each IP or IP_range/submask must be separated by a space | ||
+ | allow hosts = 192.168.1.0/24 127.0.0.1 | ||
+ | |||
+ | #### Debugging/Accounting #### | ||
+ | # This tells Samba to use a separate log file for each machine that connects | ||
+ | log file = /var/log/samba/log.%m | ||
+ | # Cap the size of the individual log files (in KiB). | ||
+ | max log size = 1000 | ||
+ | # Log level in dedicated Samba log file | ||
+ | log level = 3 | ||
+ | # log level in common Syslog (O.S log) | ||
+ | syslog = 3 | ||
+ | # Do something sensible when Samba crashes: mail the admin a backtrace | ||
+ | panic action = /usr/share/samba/panic-action %d | ||
+ | |||
+ | ############ Misc ############ | ||
+ | # improve TCP connection | ||
+ | # socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 | ||
+ | # Improve file name management | ||
+ | preserve case = yes | ||
+ | short preserve case = no | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | ==Share definition (private)== | ||
+ | |||
+ | This will set a new share, with full rights. Compare to a public share, please note the following values: | ||
+ | * <code>guest ok = no</code> | ||
+ | * <code>public = no</code> | ||
+ | * <code>only guest = no</code> | ||
+ | * <code>force user = linuxUser</code> | ||
+ | * <code>force group = users</code> | ||
+ | * <code>valid users = smbuser</code> | ||
+ | |||
+ | |||
+ | (i) The user can be different of the Samba share account. This is just to ensure the file will be created with the correct properties. | ||
+ | |||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | #======================= Share Definitions ======================= | ||
+ | [share-drive] | ||
+ | comment = SHARE-DRIVE | ||
+ | path = /mnt/shareDrive | ||
+ | |||
+ | # Active share | ||
+ | available = yes | ||
+ | |||
+ | # Folder rights | ||
+ | browseable = yes | ||
+ | read only = no | ||
+ | writeable = yes | ||
+ | |||
+ | # Allow guests ? | ||
+ | guest ok = no | ||
+ | public = no | ||
+ | # Treat all users as guest? | ||
+ | only guest = no | ||
+ | |||
+ | # Only allow specific users? Put the list separated by a space or a comma | ||
+ | #valid users = smbuser | ||
+ | |||
+ | # Files permissions | ||
+ | ## new file / directories permissions | ||
+ | ## Use "2" to inherit permissions of the top directory | ||
+ | create mask = 2777 | ||
+ | directory mask = 2777 | ||
# Do NOT follow symlinks for security reasons | # Do NOT follow symlinks for security reasons | ||
Line 138: | Line 331: | ||
# Allow user to remove read-only files | # Allow user to remove read-only files | ||
− | delete readonly = | + | delete readonly = no |
# Every new file must be part of a specific group "users" to avoid conflicts | # Every new file must be part of a specific group "users" to avoid conflicts | ||
− | force group = | + | force user = linuxUser |
+ | force group = users | ||
# Do not be case sensitive to avoid Windows <> Linux conflicts | # Do not be case sensitive to avoid Windows <> Linux conflicts | ||
Line 153: | Line 347: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
− | |||
− | + | ||
+ | |||
+ | =View / connect to samba share= | ||
+ | |||
+ | ==List server shares== | ||
+ | |||
+ | Public shares: | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | smbclient -L //server | ||
+ | smbclient -L //172.16.100.34 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | USER shares (= private + public): | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | smbclient -U smbUser -L //server | ||
+ | smbclient -U smbUser -L //172.16.100.34 | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | ==Access share== | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | smbclient -U smbUser //server/shareFolder | ||
+ | smbclient -U smbUser //172.16.100.34/DIVERS | ||
+ | </syntaxhighlight> |
Latest revision as of 13:25, 24 April 2016
(i) you can access configuration examples on my GitHub: https://github.com/guihome-diaz/IT/tree/master/install_scripts/assets/samba
Contents
Installation
Core packages
apt-get install samba samba-common libkrb5-3 winbind smbclient
apt-get install cifs-utils
Samba protocol is built upon Windows File Share. All windows versions since XP implements it, including Windows Server. Latest version implements higher specifications and security.
The CIFS protocol is also required as this is one of the default Windows Server share protocol.
apt-get install libcups2 cups cups-pdf
User Interface
apt-get install system-config-samba
Usage
Edit configuration
vim /etc/samba/smb.conf
Service management
/etc/init.d/samba restart
Configuration check
testparm -s
The file content should appears, without any alerts.
The following configuration will make all shares available for a specific set of IP @ |or| the whole world.
vim /etc/samba/smb.conf
Global configuration (guest allowed)
#======================= Global Settings =======================
[global]
### Browsing/Identification ###
workgroup = MYWORKGROUP
# server name. Windows = netbios ; all the world = server string
netbios name = MY_SERVER
server string = MY_SERVER
dns proxy = no
wins support = no
### Security ###
# Password level
encrypt passwords = true
# Sync password with current computer
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# allow samba user to change his password
pam password change = yes
# Paranoid check. To forbidden some logins
#invalid users = vadmin
# If guests are not allowed, they should be tagged as 'bad user'
map to guest = vadmin
# If guests are allowed, they should use the following account
# else put 'nobody'
guest account = myuser
# Allow users who've been granted usershare privileges to create public shares
usershare allow guests = yes
#### Networking ####
# allow local network and localhost only
# comment it out to make your server “open-bar” !
# Each IP or IP_range/submask must be separated by a space
allow hosts = 192.168.1.0/24 127.0.0.1
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# Log level in dedicated Samba log file
log level = 3
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
############ Misc ############
# improve TCP connection
# socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Improve file name management
preserve case = yes
short preserve case = no
This will set a new share, with full rights.
#======================= Share Definitions =======================
[webserver]
comment = WEB-SERVER
path = /var/www
# Active share
available = yes
# Folder rights
browseable = yes
read only = no
writeable = yes
# Allow guests ?
guest ok = yes
public = yes
# Treat all users as guest?
only guest = yes
# Files permissions
## new file / directories permissions
## Use "2" to inherit permissions of the top directory
create mask = 2777
directory mask = 2777
# Do NOT follow symlinks for security reasons
follow symlinks = no
# Allow user to remove read-only files
delete readonly = no
# Every new file must be part of a specific group "users" to avoid conflicts
force user = www-data
force group = www-data
# Do not be case sensitive to avoid Windows <> Linux conflicts
case sensitive = no
# hide Linux hidden files
hide dot files = yes
# specifics files / folder to hide
#veto files = /.*
You have to duplicate the [webserver] section for each share.
This is just an effective summary of https://wiki.samba.org/index.php/Standalone_server
Create samba users
First of all you must create Linux users + grant them the samba access.
## Create a new system user 'smbUser' and add it to the list of SAMBA users
# 1. New system user
useradd -c "Samba user" -s /sbin/nologin -m smbUser
passwd smbUser
# 2. Add system user to 'users'
useradd -G users smbUser
# 3. Add account to SAMBA
smbpasswd -a smbUser
# 4. Grant SAMBA access to account
smbpasswd -e smbUser
Before setting up the configuration, ensure all your share have the 711 root permissions.
## if you plan to share "/mnt/shareDrive/" content
chmod 711 /mnt/shareDrive
Global configuration (guest forbidden)
The configuration is almost the same. Adjust the following parameters:
map to guest = bad user
guest account = nobody
usershare allow guests = yes
#======================= Global Settings =======================
[global]
### Browsing/Identification ###
workgroup = MYWORKGROUP
# server name. Windows = netbios ; all the world = server string
netbios name = MY_SERVER
server string = MY_SERVER
dns proxy = no
wins support = no
### Security ###
# Password level
encrypt passwords = true
# Sync password with current computer
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# allow samba user to change his password
pam password change = yes
# Paranoid check. To forbidden some logins
#invalid users = vadmin
# If guests are not allowed, they should be tagged as 'bad user'
map to guest = bad user
# If guests are allowed, they should use the following account
# else put 'nobody'
guest account = nobody
# Allow users who've been granted usershare privileges to create public shares
usershare allow guests = no
#### Networking ####
# allow local network and localhost only
# comment it out to make your server “open-bar” !
# Each IP or IP_range/submask must be separated by a space
allow hosts = 192.168.1.0/24 127.0.0.1
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# Log level in dedicated Samba log file
log level = 3
# log level in common Syslog (O.S log)
syslog = 3
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
############ Misc ############
# improve TCP connection
# socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Improve file name management
preserve case = yes
short preserve case = no
This will set a new share, with full rights. Compare to a public share, please note the following values:
guest ok = no
public = no
only guest = no
force user = linuxUser
force group = users
valid users = smbuser
(i) The user can be different of the Samba share account. This is just to ensure the file will be created with the correct properties.
#======================= Share Definitions =======================
[share-drive]
comment = SHARE-DRIVE
path = /mnt/shareDrive
# Active share
available = yes
# Folder rights
browseable = yes
read only = no
writeable = yes
# Allow guests ?
guest ok = no
public = no
# Treat all users as guest?
only guest = no
# Only allow specific users? Put the list separated by a space or a comma
#valid users = smbuser
# Files permissions
## new file / directories permissions
## Use "2" to inherit permissions of the top directory
create mask = 2777
directory mask = 2777
# Do NOT follow symlinks for security reasons
follow symlinks = no
# Allow user to remove read-only files
delete readonly = no
# Every new file must be part of a specific group "users" to avoid conflicts
force user = linuxUser
force group = users
# Do not be case sensitive to avoid Windows <> Linux conflicts
case sensitive = no
# hide Linux hidden files
hide dot files = yes
# specifics files / folder to hide
#veto files = /.*
Public shares:
smbclient -L //server
smbclient -L //172.16.100.34
USER shares (= private + public):
smbclient -U smbUser -L //server
smbclient -U smbUser -L //172.16.100.34
smbclient -U smbUser //server/shareFolder
smbclient -U smbUser //172.16.100.34/DIVERS