Setting up Samba as a Standalone Server: Difference between revisions
m (/* Grammar) |
Mmuehlfeld (talk | contribs) (Added a note about smbpasswd message on autocreating passdb.tdb) |
||
Line 72: | Line 72: | ||
:To enable an Samba account, it is necessary to set a password. This one is required for authentication against Samba. |
:To enable an Samba account, it is necessary to set a password. This one is required for authentication against Samba. |
||
:''Note:'' At the first run of "smbpasswd", you may see a message about that passdb.tdb was converted from version 0.0 when wasn't existing before. This is an expected behaviour. |
|||
Revision as of 13:40, 5 January 2016
Introduction
In some environments, such as a home network, or to temporarily share folders on a host that is not part of a domain, you may not want to setup an Active Directory or an NT4 domain. In the following, we will setup a Samba standalone installation with a share that is accessible anonymously (guest access), and a second one that requires authentication against a local user database on the Samba host. To setup share permissions, it is useful to read the documentation about shares with POSIX ACLs, as well as shares with Windows ACLs. Of course, a standalone server can also act as a print server. See print server support for information how to set up.
See the server information used in documentation page for the paths, hostnames, etc used.
A basic smb.conf
The following configuration is a minimal setup for a standalone Samba server installation:
[global] workgroup = WORKGROUP netbios name = SA map to guest = Bad User log file = /var/log/samba/%m log level = 1 [guest] # This share allows anonymous (guest) access # without authentication! path = /srv/samba/guest/ read only = no guest ok = yes [demo] # This share requires authentication to access path = /srv/samba/demo/ read only = no guest ok = no
The log parameters are not required for a minimal setup, but are helpful to locate the log files and increasing the log level, in case of problems. The above example includes a share that is accessible without authentication. Guest shares can be a security problem! Imagine one on a laptop, that is connected to different networks (home, school, work, etc.). So please use it with care! If you're not planning to provide anonymous (guest) access to shares, the "map to guest" parameter can either be removed or set to its default ("Never").
Create a local user
If you want to provide non-anonymous shares on your standalone host, it is required that the users are created locally on the Samba host and in the Samba database. By default Samba uses the tdbsam backend, this stores its database file, passdb.tdb, inside the private directory (/usr/local/samba/private/), unless you have defined a different path via the "passdb backend" parameter.
- Step 1: Create a local Unix user account
# useradd -M -s /sbin/nologin demoUser
- This command adds a local account named "demoUser" without creating a home directory. Omit "-M", if you require a home. It's not necessary to assign a valid shell to the account if no local logins (e. g. via SSH) are required.
- Step 2: Enable the local account
# passwd demoUser Enter new UNIX password: Passw0rd Retype new UNIX password: Passw0rd passwd: password updated successfully
- This password is valid only for the local account and not for Samba access. That one is assigned in step 3. A local password is required - otherwise the account will stay in a locked state and a login via Samba will be denied. Having a password assigned to a Samba-only account won't be a problem, because we didn't define a shell in step 1. In this case, local logins are denied.
- Step 3: Add the account to the Samba database
# smbpasswd -a demoUser New SMB password: Passw0rd Retype new SMB password: Passw0rd Added user demoUser.
- To enable an Samba account, it is necessary to set a password. This one is required for authentication against Samba.
- Note: At the first run of "smbpasswd", you may see a message about that passdb.tdb was converted from version 0.0 when wasn't existing before. This is an expected behaviour.
- Step 4: Enable the account in the Samba database
# smbpasswd -e demoUser Enabled user demoUser.
Create a local group (optional)
- Step 1: Create a group "demoGroup"
# groupadd demoGroup
- Step 2: Add account to group
# usermod -G demoGroup demoUser
If the shared directories do not already exist, you will need to create them:
# mkdir -p /srv/samba/guest/ # mkdir -p /srv/samba/demo/
POSIX ACLs will be used in the following examples. See shares with POSIX ACLs for further information.
# chgrp -R demoGroup /srv/samba/guest/ # chgrp -R demoGroup /srv/samba/demo/ # chmod 2775 /srv/samba/guest/ # chmod 2770 /srv/samba/demo/
Those ACLs allow write access to group "demoGroup". Accounts, who are not members of the "demoGroup" group, will have only read access on the guest share and no access on the demo share. Additionally we set the SGID bit - represented by the first bit ("2") in "2770" and "2775". This permission defines that the group is inherited on all new files and directories from the parent folder, instead of setting it to the users primary group.
Start Samba
Start Samba by using the intended way of your OS (init script, systemctl command, etc.) or start the daemon manually:
# smbd
Testing
- Accessing the "demo" share as user "demoUser":
# smbclient -U demoUser //SA/demo Enter demoUser's password: Passw0rd Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z] smb: \> ls . D 0 Sun Jan 3 21:00:00 2016 .. D 0 Sun Jan 3 19:00:00 2016 demo.txt A 0 Sun Jan 3 21:00:00 2016 9943040 blocks of size 1024. 7987416 blocks available smb: \> quit
- Accessing the "demo" share as guest will be denied as expected:
# smbclient -U guest //SA/demo Enter guest's password: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z] tree connect failed: NT_STATUS_ACCESS_DENIED
Find below some typical advanced share configurations. See the smb.conf man page for detailed information about the parameters used.
Force parameters
[demo] path = /srv/samba/demo/ read only = no guest ok = no force create mode = 0660 force directory mode = 2770 force user = demoUser force group = demoGroup
The two "force ... mode" parameters, force exactly those modes on new files and directories. The force user/group parameters map all connections to the given user/group. Please notice, that this can raise serious security issues - especially if the share is accessible anonymous!
See user/group based share access.