Simple Samba Setup: Difference between revisions
		
		
		
		Jump to navigation
		Jump to search
		
| No edit summary |  (→Groups) | ||
| (45 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| Simple Samba (SMB) Setup with the focus of having a file share method for www developers on  | Simple Samba (SMB) Setup with the main focus being of of having a file share method for www developers on windows machines. | ||
| Install Samba on Debian or Ubuntu | =Install Samba on Debian or Ubuntu= | ||
|   apt-get install samba samba-common  |   apt-get install samba samba-common   | ||
| <span style="color:red;">'''Note:'''</span> If firewalls or port filters are in use then please make sure that <span style="color:red;">'''Tcp 445'''</span> is allowed to talk to the Samba Server | |||
| Configure Samba with a local user to authenticate and  | =Configure Samba with a local user for www-data= | ||
| Configure Samba with a local user to authenticate and enforce the user www-data to be used on the share level | |||
| *Add a new group | *Add a new group | ||
|   addgroup sambagrp |   addgroup sambagrp | ||
| Line 14: | Line 15: | ||
|   useradd demo01 -M -G sambagrp -s /usr/sbin/nologin   |   useradd demo01 -M -G sambagrp -s /usr/sbin/nologin   | ||
| *Add a the new user (-a) to the Samba authentication and create a new password | |||
|  smbpasswd -a demo01 | |||
| *Create or edit /etc/samba/smb.conf | |||
|   [global] |   [global] | ||
|      workgroup = WORKGROUP |      workgroup = WORKGROUP | ||
| Line 27: | Line 33: | ||
|      pam password change = Yes |      pam password change = Yes | ||
|      map to guest = Bad User |      map to guest = Bad User | ||
|      log level = 4 |      #log level = 4 #To be used for debugging purposes | ||
|   [www] |   [www] | ||
| Line 37: | Line 43: | ||
|      read only = no |      read only = no | ||
|      force user = www-data |      force user = www-data | ||
| *Restart Samba | |||
|  systemctl restart smbd | |||
| Ready to use the demo01 user to connect to the Samba Server | |||
| =Configure Samba with a foreign user for www-data= | |||
| <br>Configure a new user which gets authenticated with other methods such as 'sssd (ldap authentication)' like with '''ActiveDirectory'''<br><br> | |||
| *Add a new group, this time we use a ldap group | |||
|  addgroup ldapgrp | |||
| *Add the Ldap user to the new group | |||
|  usermod -a -G ldapgrp  <ldap user> | |||
| *Add a the new user (-a) to the Samba authentication and create a new password. This can become interesting because if the same password is used for ldap then the result will be some kind of a improved single sign on, ldap or active directory users will not get prompted for a password this way | |||
|  smbpasswd -a <ldap user> | |||
| *Create or edit /etc/samba/smb.conf, note that '''obey pam restrictions''' is not used anymore in this sample | |||
|  [global] | |||
|     workgroup = WORKGROUP | |||
|     server string = %h server (Linux) | |||
|     interfaces = eth0 | |||
|     bind interfaces only = yes | |||
|     log file = /var/log/samba/log.%m | |||
|     panic action = /usr/share/samba/panic-action %d | |||
|     server role = standalone server | |||
|     '''<s>#obey pam restrictions = Yes</s>''' | |||
|     passwd program = /usr/bin/passwd %u | |||
|     passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . | |||
|     pam password change = Yes | |||
|     map to guest = Bad User | |||
|     #log level = 4 #To be used for debugging purposes | |||
|  [www] | |||
|     comment = www | |||
|     path = /var/www | |||
|     valid users = @ldapgrp | |||
|     browsable = yes | |||
|     writable = yes | |||
|     read only = no | |||
|     force user = www-data | |||
| =Configure Samba with a local user for general purpose= | |||
| Configure Samba with a local user to authenticate both, to the Linux console and Samba | |||
| *Add group | |||
|  addgroup demogrp | |||
| *Add user with password | |||
|  adduser demo2 | |||
| *Add the user to the Samba TDB | |||
|  smbpasswd demo02 | |||
| *Change the primary group | |||
|  usermod -g demogrp demo02 | |||
| *Create a test directory for the samba share | |||
|  mkdir /data | |||
| *Assign user and group to the new directory | |||
|  chown root /data | |||
|  chgrp demogrp /data | |||
|  chmod 770 /data | |||
| */etc/samba/smb.conf | |||
|  [global] | |||
|    workgroup = WORKGROUP | |||
|    server string = %h server (Linux) | |||
|    interfaces = eth0 | |||
|    bind interfaces only = yes | |||
|    log file = /var/log/samba/log.%m | |||
|    panic action = /usr/share/samba/panic-action %d | |||
|    server role = standalone server | |||
|    obey pam restrictions = Yes | |||
|    passwd program = /usr/bin/passwd %u | |||
|    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . | |||
|    pam password change = Yes | |||
|    map to guest = Bad User | |||
|    #log level = 4 #To be used for debugging purposes | |||
|  [data] | |||
|    comment = data | |||
|    path = /data | |||
|    valid users = @demogrp | |||
|    browsable = yes | |||
|    writable = yes | |||
|    read only = no | |||
|    create mask = 0660 | |||
| =Maintenance Commands= | |||
| ==Delete Windows Connection== | |||
| This must be used whenever credentials or other share parameter has been changed== | |||
| *Show connections | |||
|  net use | |||
| *Delete default connection | |||
|  net use \\<Name or IP> /delete | |||
| *Or delete a shared specific connection | |||
|  net use \\<Name or IP>\sharename /delete | |||
| ==Samba Account== | |||
| *Create a new samba account with password | |||
|  smbpasswd -a username | |||
| *Change a samba account password | |||
|  smbpasswd username | |||
| *Delete a samba account | |||
|  smbpasswd -x username | |||
| ==Groups== | |||
| *Create group | |||
|  addgroup groupname | |||
| *Delete group | |||
|  delgroup groupname | |||
| *Change users primary group | |||
|  usermod -g groupname username | |||
| *Add user to group | |||
|  usermod -a -G groupname username | |||
| *Delete user from group | |||
|  deluser username groupname | |||
| *List users in group | |||
|  getent group demogrp | |||
| ==Local User== | |||
| *Add with no home, no login | |||
|  useradd username -M -G groupname -s /usr/sbin/nologin | |||
| *Show user ID, primary group and group membership | |||
|  id <username> | |||
| ==Samba== | |||
| *Stop/Start/Restart/Status | |||
|  systemctl stop smbd | |||
|  systemctl start smbd | |||
|  systemctl restart smbd | |||
|  systemctl status smbd | |||
| *Test configuration | |||
|  testparm | |||
| *Status | |||
|  smbstatus | |||
| =Links= | |||
| *https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html | |||
Latest revision as of 12:35, 17 March 2021
Simple Samba (SMB) Setup with the main focus being of of having a file share method for www developers on windows machines.
Install Samba on Debian or Ubuntu
apt-get install samba samba-common
Note: If firewalls or port filters are in use then please make sure that Tcp 445 is allowed to talk to the Samba Server
Configure Samba with a local user for www-data
Configure Samba with a local user to authenticate and enforce the user www-data to be used on the share level
- Add a new group
addgroup sambagrp
- Create a user (demo01), no home directory and no local login, just to authenticate with Samba, add the user to the new group
useradd demo01 -M -G sambagrp -s /usr/sbin/nologin
- Add a the new user (-a) to the Samba authentication and create a new password
smbpasswd -a demo01
- Create or edit /etc/samba/smb.conf
[global] workgroup = WORKGROUP server string = %h server (Linux) interfaces = eth0 bind interfaces only = yes log file = /var/log/samba/log.%m panic action = /usr/share/samba/panic-action %d server role = standalone server obey pam restrictions = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = Yes map to guest = Bad User #log level = 4 #To be used for debugging purposes [www] comment = www path = /var/www valid users = @sambagrp browsable = yes writable = yes read only = no force user = www-data
- Restart Samba
systemctl restart smbd
Ready to use the demo01 user to connect to the Samba Server
Configure Samba with a foreign user for www-data
Configure a new user which gets authenticated with other methods such as 'sssd (ldap authentication)' like with ActiveDirectory
- Add a new group, this time we use a ldap group
addgroup ldapgrp
- Add the Ldap user to the new group
usermod -a -G ldapgrp <ldap user>
- Add a the new user (-a) to the Samba authentication and create a new password. This can become interesting because if the same password is used for ldap then the result will be some kind of a improved single sign on, ldap or active directory users will not get prompted for a password this way
smbpasswd -a <ldap user>
- Create or edit /etc/samba/smb.conf, note that obey pam restrictions is not used anymore in this sample
[global] workgroup = WORKGROUP server string = %h server (Linux) interfaces = eth0 bind interfaces only = yes log file = /var/log/samba/log.%m panic action = /usr/share/samba/panic-action %d server role = standalone server#obey pam restrictions = Yespasswd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = Yes map to guest = Bad User #log level = 4 #To be used for debugging purposes [www] comment = www path = /var/www valid users = @ldapgrp browsable = yes writable = yes read only = no force user = www-data
Configure Samba with a local user for general purpose
Configure Samba with a local user to authenticate both, to the Linux console and Samba
- Add group
addgroup demogrp
- Add user with password
adduser demo2
- Add the user to the Samba TDB
smbpasswd demo02
- Change the primary group
usermod -g demogrp demo02
- Create a test directory for the samba share
mkdir /data
- Assign user and group to the new directory
chown root /data chgrp demogrp /data chmod 770 /data
- /etc/samba/smb.conf
[global] workgroup = WORKGROUP server string = %h server (Linux) interfaces = eth0 bind interfaces only = yes log file = /var/log/samba/log.%m panic action = /usr/share/samba/panic-action %d server role = standalone server obey pam restrictions = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = Yes map to guest = Bad User #log level = 4 #To be used for debugging purposes [data] comment = data path = /data valid users = @demogrp browsable = yes writable = yes read only = no create mask = 0660
Maintenance Commands
Delete Windows Connection
This must be used whenever credentials or other share parameter has been changed==
- Show connections
net use
- Delete default connection
net use \\<Name or IP> /delete
- Or delete a shared specific connection
net use \\<Name or IP>\sharename /delete
Samba Account
- Create a new samba account with password
smbpasswd -a username
- Change a samba account password
smbpasswd username
- Delete a samba account
smbpasswd -x username
Groups
- Create group
addgroup groupname
- Delete group
delgroup groupname
- Change users primary group
usermod -g groupname username
- Add user to group
usermod -a -G groupname username
- Delete user from group
deluser username groupname
- List users in group
getent group demogrp
Local User
- Add with no home, no login
useradd username -M -G groupname -s /usr/sbin/nologin
- Show user ID, primary group and group membership
id <username>
Samba
- Stop/Start/Restart/Status
systemctl stop smbd systemctl start smbd systemctl restart smbd systemctl status smbd
- Test configuration
testparm
- Status
smbstatus