Setting up Samba as a Standalone Server: Difference between revisions
Mmuehlfeld (talk | contribs) m (Fix typo) |
m (/* split example smb.conf into two separate examples) |
||
(15 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
In |
In small networks, such as a home network, or to share folders on a host that is not part of a domain, you often do not want to set up an [[Active_Directory_Domain_Controller|Active Directory]] or [[NT4_Domains|NT4 domain]]. |
||
The following documentation describes how to set up a Samba standalone server providing: |
|||
'''See the [[Server_information_used_in_documentation|server information used in documentation]] page for the paths, hostnames, etc used.''' |
|||
* a share that is accessible anonymously (guest access). |
|||
* a share that requires authentication against a local user database on the Samba host. |
|||
Line 9: | Line 11: | ||
= |
= Creating a Basic guest only smb.conf File = |
||
The following |
The following is a minimal configuration for a Samba standalone server that only allows guest access: |
||
[global] |
[global] |
||
workgroup = WORKGROUP |
|||
netbios name = SA |
|||
map to guest = Bad User |
map to guest = Bad User |
||
log file = /var/log/samba/%m |
log file = /var/log/samba/%m |
||
log level = 1 |
log level = 1 |
||
[guest] |
[guest] |
||
Line 29: | Line 26: | ||
read only = no |
read only = no |
||
guest ok = yes |
guest ok = yes |
||
guest only = yes |
|||
{{Imbox |
|||
| type = warning |
|||
| text = This example defines a share that is accessible without authentication. Guest shares can be a security problem. For example on a laptop that is connected to different networks, such as home, school, and work networks. Use guest shares with care and never use a guest share with authenticated users. |
|||
}} |
|||
= Creating a Basic authenticated access smb.conf File = |
|||
The following is a minimal configuration for a Samba standalone server: |
|||
[global] |
|||
log file = /var/log/samba/%m |
|||
log level = 1 |
|||
[demo] |
[demo] |
||
Line 34: | Line 46: | ||
path = /srv/samba/demo/ |
path = /srv/samba/demo/ |
||
read only = no |
read only = no |
||
guest ok = no |
|||
The log parameters are not required for a minimal setup, but are helpful to locate the log files and increasing the log level, in case of problems. The above example includes a share that is accessible without authentication. Guest shares can be a security problem! Imagine one on a laptop, that is connected to different networks (home, school, work, etc.). So please use it with care! If you're not planning to provide anonymous (guest) access to shares, the "map to guest" parameter can either be removed or set to its default ("Never"). |
|||
* You can set a workgroup name with <code>workgroup = xxxxxxxx</code>, where 'xxxxxxxx' is the required name. If the parameter isn't set, the default workgroup name 'WORKGROUP' will be used. |
|||
* The log parameters are not necessary for a minimal setup. However they are useful to set the log file and increasing the log level in case of problems. |
|||
* Whilst these are only minimal smb.conf files, you can add other parameters, such as 'unix password sync = yes' to ensure the Unix & Samba passwords are kept in sync. See 'man smb.conf' for more info. |
|||
= Creating a Local User Account = |
|||
To provide authentication on a standalone host, you have to create the accounts locally on the operating system and additionally in the Samba database. By default, Samba uses the <code>tdbsam</code> back end and stores the database in the <code>/usr/local/samba/private/passdb.tdb</code> file. Optionally set a different location in the <code>smb.conf</code> file using the <code>passdb backend</code> parameter. See the <code>smb.conf 5</code> man page for details. |
|||
= Create a local user = |
|||
* Create a <code>demoUser</code> account on the local system: |
|||
If you want to provide non-anonymous shares on your standalone host, it is required that the users are created locally on the Samba host <u>and</u> in the Samba database. By default Samba uses the tdbsam backend, this stores its database file, passdb.tdb, inside the private directory (/usr/local/samba/private/), unless you have defined a different path via the "passdb backend" parameter. |
|||
* Step 1: Create a local Unix user account |
|||
# useradd -M -s /sbin/nologin demoUser |
# useradd -M -s /sbin/nologin demoUser |
||
: |
:Omit the <code>-M</code> parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell. |
||
* |
* To enable the <code>demoUser</code> account on the local system: |
||
# passwd demoUser |
# passwd demoUser |
||
Line 61: | Line 71: | ||
passwd: password updated successfully |
passwd: password updated successfully |
||
: Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell. |
|||
:This password is valid only for the local account and not for Samba access. That one is assigned in step 3. A local password is required - otherwise the account will stay in a locked state and a login via Samba will be denied. Having a password assigned to a Samba-only account won't be a problem, because we didn't define a shell in step 1. In this case, local logins are denied. |
|||
* Add the <code>demoUser</code> account to the Samba database: |
|||
* Step 3: Add the account to the Samba database |
|||
# smbpasswd -a demoUser |
# smbpasswd -a demoUser |
||
Line 71: | Line 80: | ||
Added user demoUser. |
Added user demoUser. |
||
:The password assigned in these steps is the one used by the user to log in to the domain. |
|||
:To enable an Samba account, it is necessary to set a password. This one is required for authentication against Samba. |
|||
:''Note:'' At the first run of "smbpasswd", you may see a message about that passdb.tdb was converted from version 0.0, when it wasn't existing before. This is an expected behaviour. |
|||
* Step 4: Enable the account in the Samba database |
|||
# smbpasswd -e demoUser |
|||
Enabled user demoUser. |
|||
= Local Group Management = |
|||
* To create a <code>demoGroup</code> group: |
|||
= Create a local group (optional) = |
|||
* Step 1: Create a group "demoGroup" |
|||
# groupadd demoGroup |
# groupadd demoGroup |
||
* To add the <code>demoUser</code> account to the group: |
|||
# usermod -aG demoGroup demoUser |
|||
* Step 2: Add account to group |
|||
# usermod -G demoGroup demoUser |
|||
= Creating the Shared Directories = |
|||
To create the shares directories: |
|||
= The shared directories = |
|||
If the shared directories do not already exist, you will need to create them: |
|||
# mkdir -p /srv/samba/guest/ |
# mkdir -p /srv/samba/guest/ |
||
Line 109: | Line 109: | ||
= Setting ACLs on |
= Setting ACLs on the Shared Directories = |
||
Set the following POSIX permissions: |
|||
POSIX ACLs will be used in the following examples. See [[Shares_with_POSIX_ACLs|shares with POSIX ACLs]] for further information. |
|||
# chgrp -R demoGroup /srv/samba/guest/ |
# chgrp -R demoGroup /srv/samba/guest/ |
||
Line 119: | Line 119: | ||
# chmod 2770 /srv/samba/demo/ |
# chmod 2770 /srv/samba/demo/ |
||
This configures write access to members of the <code>demoGroup</code> group in both directories. Other users have read access in the <code>/srv/samba/guest/</code> and no access in the <code>/srv/samba/demo/</code> directory. The SGID bit - represented by the first bit (<code>2</code>) in the mode set on the directories - inherits the group of the parent directory instead setting it to the users primary group when new files are created. |
|||
For further information, see [[Setting_up_a_Share_Using_POSIX_ACLs|Setting up a Share Using POSIX ACLs]]. |
|||
= Start Samba = |
|||
= Starting Samba = |
|||
Start Samba by using the intended way of your OS (init script, systemctl command, etc.) or start the daemon manually: |
|||
Start the <code>smbd</code> daemon: |
|||
# smbd |
# smbd |
||
Samba does not include start scripts. See your distribution's documentation how further information how to automatically start a service at boot time. |
|||
Line 135: | Line 139: | ||
= Testing = |
= Testing the Share Access = |
||
* |
* Access the <code>demo</code> share as user <code>demoUser</code>: |
||
# smbclient -U demoUser //SA/demo |
# smbclient -U demoUser //SA/demo |
||
Line 150: | Line 154: | ||
smb: \> quit |
smb: \> quit |
||
* Access the <code>demo</code> share as guest. The access is denied: |
|||
* Accessing the "demo" share as guest will be denied as expected: |
|||
# smbclient -U guest //SA/demo |
# smbclient -U guest //SA/demo |
||
Line 164: | Line 167: | ||
= Advanced share settings = |
= Advanced share settings = |
||
This section describes some advanced share configuration parameters. For further information about the used parameters, see the <code>smb.conf (5)</code> man page. |
|||
== Using the <code>force</code> Parameters == |
|||
== Force parameters == |
|||
[demo] |
[demo] |
||
path = /srv/samba/demo/ |
path = /srv/samba/demo/ |
||
read only = no |
read only = no |
||
guest ok = no |
|||
force create mode = 0660 |
force create mode = 0660 |
||
force directory mode = 2770 |
force directory mode = 2770 |
||
Line 179: | Line 181: | ||
force group = demoGroup |
force group = demoGroup |
||
The <code>force create mode</code> and <code>force directory mode</code> parameters force Samba to create new files and folders with the set permissions. |
|||
The two "force ... mode" parameters, force exactly those modes on new files and directories. The force user/group parameters map all connections to the given user/group. Please notice, that this can raise serious security issues - especially if the share is accessible anonymous! |
|||
The <code>force user</code> and <code>force group</code> parameters map all connections to the specified user and group. Note that this can cause security problems if all users connecting to a share are mapped to a specific user account or group in the background. |
|||
== User and Group-based Share Access == |
|||
See [[Setting_up_a_Share_Using_POSIX_ACLs#Configuring_User_and_Group-based_Share_Access|Configuring User and Group-based Share Access]]. |
|||
== Host-based Share Access == |
|||
See [[Setting_up_a_Share_Using_POSIX_ACLs#Configuring_Host-based_share_access|Configuring Host-based Share Access]]. |
|||
== User/group based share access == |
|||
See [[Shares_with_POSIX_ACLs#User.2Fgroup_based_share_access|user/group based share access]]. |
|||
== Host based share access == |
|||
---- |
|||
See [[Shares_with_POSIX_ACLs#Host_based_share_access|host based share access]]. |
|||
[[Category:Standalone Server]] |
Revision as of 10:46, 24 January 2020
Introduction
In small networks, such as a home network, or to share folders on a host that is not part of a domain, you often do not want to set up an Active Directory or NT4 domain.
The following documentation describes how to set up a Samba standalone server providing:
- a share that is accessible anonymously (guest access).
- a share that requires authentication against a local user database on the Samba host.
Creating a Basic guest only smb.conf File
The following is a minimal configuration for a Samba standalone server that only allows guest access:
[global] map to guest = Bad User log file = /var/log/samba/%m log level = 1 [guest] # This share allows anonymous (guest) access # without authentication! path = /srv/samba/guest/ read only = no guest ok = yes guest only = yes
This example defines a share that is accessible without authentication. Guest shares can be a security problem. For example on a laptop that is connected to different networks, such as home, school, and work networks. Use guest shares with care and never use a guest share with authenticated users. |
Creating a Basic authenticated access smb.conf File
The following is a minimal configuration for a Samba standalone server:
[global] log file = /var/log/samba/%m log level = 1 [demo] # This share requires authentication to access path = /srv/samba/demo/ read only = no
- You can set a workgroup name with
workgroup = xxxxxxxx
, where 'xxxxxxxx' is the required name. If the parameter isn't set, the default workgroup name 'WORKGROUP' will be used. - The log parameters are not necessary for a minimal setup. However they are useful to set the log file and increasing the log level in case of problems.
- Whilst these are only minimal smb.conf files, you can add other parameters, such as 'unix password sync = yes' to ensure the Unix & Samba passwords are kept in sync. See 'man smb.conf' for more info.
Creating a Local User Account
To provide authentication on a standalone host, you have to create the accounts locally on the operating system and additionally in the Samba database. By default, Samba uses the tdbsam
back end and stores the database in the /usr/local/samba/private/passdb.tdb
file. Optionally set a different location in the smb.conf
file using the passdb backend
parameter. See the smb.conf 5
man page for details.
- Create a
demoUser
account on the local system:
# useradd -M -s /sbin/nologin demoUser
- Omit the
-M
parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
- To enable the
demoUser
account on the local system:
# passwd demoUser Enter new UNIX password: Passw0rd Retype new UNIX password: Passw0rd passwd: password updated successfully
- Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
- Add the
demoUser
account to the Samba database:
# smbpasswd -a demoUser New SMB password: Passw0rd Retype new SMB password: Passw0rd Added user demoUser.
- The password assigned in these steps is the one used by the user to log in to the domain.
Local Group Management
- To create a
demoGroup
group:
# groupadd demoGroup
- To add the
demoUser
account to the group:
# usermod -aG demoGroup demoUser
To create the shares directories:
# mkdir -p /srv/samba/guest/ # mkdir -p /srv/samba/demo/
Set the following POSIX permissions:
# chgrp -R demoGroup /srv/samba/guest/ # chgrp -R demoGroup /srv/samba/demo/ # chmod 2775 /srv/samba/guest/ # chmod 2770 /srv/samba/demo/
This configures write access to members of the demoGroup
group in both directories. Other users have read access in the /srv/samba/guest/
and no access in the /srv/samba/demo/
directory. The SGID bit - represented by the first bit (2
) in the mode set on the directories - inherits the group of the parent directory instead setting it to the users primary group when new files are created.
For further information, see Setting up a Share Using POSIX ACLs.
Starting Samba
Start the smbd
daemon:
# smbd
Samba does not include start scripts. See your distribution's documentation how further information how to automatically start a service at boot time.
- Access the
demo
share as userdemoUser
:
# smbclient -U demoUser //SA/demo Enter demoUser's password: Passw0rd Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z] smb: \> ls . D 0 Sun Jan 3 21:00:00 2016 .. D 0 Sun Jan 3 19:00:00 2016 demo.txt A 0 Sun Jan 3 21:00:00 2016 9943040 blocks of size 1024. 7987416 blocks available smb: \> quit
- Access the
demo
share as guest. The access is denied:
# smbclient -U guest //SA/demo Enter guest's password: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z] tree connect failed: NT_STATUS_ACCESS_DENIED
This section describes some advanced share configuration parameters. For further information about the used parameters, see the smb.conf (5)
man page.
Using the force
Parameters
[demo] path = /srv/samba/demo/ read only = no force create mode = 0660 force directory mode = 2770 force user = demoUser force group = demoGroup
The force create mode
and force directory mode
parameters force Samba to create new files and folders with the set permissions.
The force user
and force group
parameters map all connections to the specified user and group. Note that this can cause security problems if all users connecting to a share are mapped to a specific user account or group in the background.
See Configuring User and Group-based Share Access.
See Configuring Host-based Share Access.