Setting up Samba as a Standalone Server: Difference between revisions

From SambaWiki
 
(22 intermediate revisions by 4 users not shown)
Line 11: Line 11:




= Creating a Basic smb.conf File =
= Creating a Basic guest only smb.conf File =


The following is a minimal configuration for a Samba standalone server:
The following is a minimal configuration for a Samba standalone server that only allows guest access:


[global]
[global]
workgroup = WORKGROUP
netbios name = SA
map to guest = Bad User
map to guest = Bad User
log file = /var/log/samba/%m
log file = /var/log/samba/%m
log level = 1
log level = 1
server role = standalone server
[guest]
[guest]
Line 31: Line 27:
read only = no
read only = no
guest ok = yes
guest ok = yes
guest only = yes
{{Imbox
| type = warning
| text = This example defines a share that is accessible without authentication. Guest shares can be a security problem. For example on a laptop that is connected to different networks, such as home, school, and work networks. Use guest shares with care and never use a guest share with authenticated users.
}}

{{Imbox
| type = note
| text = Starting from Windows 10 1709, guest access in SMB2 and SMB3 may be disabled by default. This means that guest access from Windows 10 to a Samba share may not work, for more information, see [https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default here].
}}






= Creating a Basic authenticated access smb.conf File =

The following is a minimal configuration for a Samba standalone server:

[global]
log file = /var/log/samba/%m
log level = 1
server role = standalone server
[demo]
[demo]
Line 36: Line 57:
path = /srv/samba/demo/
path = /srv/samba/demo/
read only = no
read only = no
guest ok = no
inherit permissions = yes


* You can set a workgroup name with <code>workgroup = xxxxxxxx</code>, where 'xxxxxxxx' is the required name. If the parameter isn't set, the default workgroup name 'WORKGROUP' will be used.
The log parameters are not necessary for a minimal setup. However they are useful to set the log file and increasing the log level in case of problems.
* You can restrict access to members of a specified group by adding <code>valid users = @demoGroup</code> to the share, you will need to replace <code>demoGroup</code> with the required Unix group name.
* The log parameters are not necessary for a minimal setup. However they are useful to set the log file and increasing the log level in case of problems.
* Whilst these are only minimal smb.conf files, you can add other parameters, such as 'unix password sync = yes' to ensure the Unix & Samba passwords are kept in sync. See 'man smb.conf' for more info.


{{Imbox
| type = warning
| text = The example defines a share that is accessible without authentication. Guest shares can be a security problem. For example on a laptop that is connected to different networks, such as home, school, and work networks. Use guest shares with care.
}}

If you are not planning to enable anonymous (guest) access to shares, remove the <code>map to guest</code> parameter or set it to <code>Never</code> (default).




Line 51: Line 69:




= Creating a Local User Account =
= Creating Local User Accounts, option #1 =


To provide authentication on a standalone host, you have to create the accounts locally on the operating system and additionally in the Samba database. By default, Samba uses the <code>tdbsam</code> back end and stores the database in the <code>/usr/local/samba/private/passdb.tdb</code> file. Optionally set a different location in the <code>smb.conf</code> file using the <code>passdb backend</code> parameter. See the <code>smb.conf 5</code> man page for details.
To provide authentication on a standalone host, you have to create the accounts locally on the operating system and additionally in the Samba database. By default, Samba uses the <code>tdbsam</code> back end and stores the database in the <code>/usr/local/samba/private/passdb.tdb</code> file. Optionally set a different location in the <code>smb.conf</code> file using the <code>passdb backend</code> parameter. See the <code>smb.conf 5</code> man page for details.
Line 68: Line 86:
passwd: password updated successfully
passwd: password updated successfully


:This password is only required for local log ins. Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
: Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.


* Add the <code>demoUser</code> account to the Samba database:
* Add the <code>demoUser</code> account to the Samba database:
Line 77: Line 95:
Added user demoUser.
Added user demoUser.


:The passwords assigned in this step are the ones used by the users to log in to the domain.
:The password assigned in these steps is the one used by the user to log in to the domain.


= Creating Local User Accounts, option #2 =
* To enable the Samba account:


To provide authentication on a standalone host, users have to exist both on the operating system and in the Samba database.
# smbpasswd -e demoUser
Enabled user demoUser.


Samba can be configured to automatically create linux user accounts after successful samba authentication, using the [global] <code>add user script</code> smb.conf option. Unfortunately this option does ''not'' work as intended at end-user access time, but it can be leveraged to simplify adding users to your samba Standalone Server. Because, when adding a samba user with


# smbpasswd -a demoUser
New SMB password: Passw0rd
Retype new SMB password: Passw0rd
Added user demoUser.


samba will automatically call the configured <code>add user script</code>, and create the local linux user for you.


A very simple sample add_user.sh script could be something like:

#!/bin/bash
adduser --no-create-home --shell /usr/sbin/nologin --user-group $1

Both the linux and the samba user will be deleted with

# pdbedit -x demoUser


= Local Group Management =
= Local Group Management =
Line 96: Line 127:
* To add the <code>demoUser</code> account to the group:
* To add the <code>demoUser</code> account to the group:


# usermod -G demoGroup demoUser
# usermod -aG demoGroup demoUser




Line 109: Line 140:
# mkdir -p /srv/samba/demo/
# mkdir -p /srv/samba/demo/


If you are using (enforcing) SElinux, samba access to these locations might be denied, unless:


# semanage fcontext -a -t samba_share_t "/srv/samba/guest(/.*)?"
# restorecon -Rv /srv/samba/guest/
and
# semanage fcontext -a -t samba_share_t "/srv/samba/demo(/.*)?"
# restorecon -Rv /srv/samba/demo/


= Setting ACLs on the Shared Directories =
= Setting ACLs on the Shared Directories =
Line 115: Line 152:
Set the following POSIX permissions:
Set the following POSIX permissions:


# chgrp -R demoGroup /srv/samba/guest/
# chown -R nobody:nogroup /srv/samba/guest/
# chgrp -R demoGroup /srv/samba/demo/
# chgrp -R demoGroup /srv/samba/demo/
# chmod 2775 /srv/samba/guest/
# chmod 2770 /srv/samba/guest/
# chmod 2770 /srv/samba/demo/
# chmod 2770 /srv/samba/demo/


This configures write access to members of the <code>demoGroup</code> group in both directories. Other users have read access in the <code>/srv/samba/guest/</code> and no access in the <code>/srv/samba/demo/</code> directory. The SGID bit - represented by the first bit (<code>2</code>) in the mode set on the directories - inherits the group of the parent directory instead setting it to the users primary group when new files are created.
This configures write access to members of the <code>demoGroup</code> group in both directories. Other users have read access in the <code>/srv/samba/guest/</code> and no access in the <code>/srv/samba/demo/</code> directory. The SGID bit - represented by the first bit (<code>2</code>) in the mode set on the directories - inherits the group of the parent directory instead setting it to the users primary group when new files are created.


For further information, see [[Setting_up_a_Share_using_POSIX_ACLs|Setting up a Share using POSIX ACLs]].
For further information, see [[Setting_up_a_Share_Using_POSIX_ACLs|Setting up a Share Using POSIX ACLs]].





= Verifying the Samba configuration =

You should verify the Samba configuration every time the /etc/samba/smb.conf file is updated by using the testparm utility

You can simply execute it as follows:

# testparm -s

Sample output:

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
...

If any errors are shown (you can ignore deprecation warnings), fix them before proceeding.




Line 164: Line 224:




.





Line 173: Line 233:




== Force Parameters ==
== Using the <code>force</code> Parameters ==


[demo]
[demo]
path = /srv/samba/demo/
path = /srv/samba/demo/
read only = no
read only = no
guest ok = no
force create mode = 0660
force create mode = 0660
force directory mode = 2770
force directory mode = 2770
Line 192: Line 251:
== User and Group-based Share Access ==
== User and Group-based Share Access ==


See [[Setting_up_a_Share_using_POSIX_ACLs#Configuring_User_and_Group-based_Share_Access|Configuring User and Group-based Share Access]].
See [[Setting_up_a_Share_Using_POSIX_ACLs#Configuring_User_and_Group-based_Share_Access|Configuring User and Group-based Share Access]].




Line 198: Line 257:
== Host-based Share Access ==
== Host-based Share Access ==


See [[Setting_up_a_Share_using_POSIX_ACLs#Configuring_Host-based_share_access|Configuring Host-based Share Access]].
See [[Setting_up_a_Share_Using_POSIX_ACLs#Configuring_Host-based_Share_Access|Configuring Host-based Share Access]].





----
[[Category:Standalone Server]]

Latest revision as of 13:24, 3 February 2023

Introduction

In small networks, such as a home network, or to share folders on a host that is not part of a domain, you often do not want to set up an Active Directory or NT4 domain.

The following documentation describes how to set up a Samba standalone server providing:

  • a share that is accessible anonymously (guest access).
  • a share that requires authentication against a local user database on the Samba host.



Creating a Basic guest only smb.conf File

The following is a minimal configuration for a Samba standalone server that only allows guest access:

[global]
        map to guest = Bad User
        log file = /var/log/samba/%m
        log level = 1
        server role = standalone server

[guest]
        # This share allows anonymous (guest) access
        # without authentication!
        path = /srv/samba/guest/
        read only = no
        guest ok = yes
        guest only = yes




Creating a Basic authenticated access smb.conf File

The following is a minimal configuration for a Samba standalone server:

[global]
        log file = /var/log/samba/%m
        log level = 1
        server role = standalone server

[demo]
        # This share requires authentication to access
        path = /srv/samba/demo/
        read only = no
        inherit permissions = yes
  • You can set a workgroup name with workgroup = xxxxxxxx, where 'xxxxxxxx' is the required name. If the parameter isn't set, the default workgroup name 'WORKGROUP' will be used.
  • You can restrict access to members of a specified group by adding valid users = @demoGroup to the share, you will need to replace demoGroup with the required Unix group name.
  • The log parameters are not necessary for a minimal setup. However they are useful to set the log file and increasing the log level in case of problems.
  • Whilst these are only minimal smb.conf files, you can add other parameters, such as 'unix password sync = yes' to ensure the Unix & Samba passwords are kept in sync. See 'man smb.conf' for more info.




Creating Local User Accounts, option #1

To provide authentication on a standalone host, you have to create the accounts locally on the operating system and additionally in the Samba database. By default, Samba uses the tdbsam back end and stores the database in the /usr/local/samba/private/passdb.tdb file. Optionally set a different location in the smb.conf file using the passdb backend parameter. See the smb.conf 5 man page for details.

  • Create a demoUser account on the local system:
# useradd -M -s /sbin/nologin demoUser
Omit the -M parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
  • To enable the demoUser account on the local system:
# passwd demoUser
Enter new UNIX password: Passw0rd
Retype new UNIX password: Passw0rd
passwd: password updated successfully
Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
  • Add the demoUser account to the Samba database:
# smbpasswd -a demoUser
New SMB password: Passw0rd
Retype new SMB password: Passw0rd
Added user demoUser.
The password assigned in these steps is the one used by the user to log in to the domain.

Creating Local User Accounts, option #2

To provide authentication on a standalone host, users have to exist both on the operating system and in the Samba database.

Samba can be configured to automatically create linux user accounts after successful samba authentication, using the [global] add user script smb.conf option. Unfortunately this option does not work as intended at end-user access time, but it can be leveraged to simplify adding users to your samba Standalone Server. Because, when adding a samba user with

# smbpasswd -a demoUser
New SMB password: Passw0rd
Retype new SMB password: Passw0rd
Added user demoUser.

samba will automatically call the configured add user script, and create the local linux user for you.

A very simple sample add_user.sh script could be something like:

#!/bin/bash
adduser --no-create-home --shell /usr/sbin/nologin --user-group $1

Both the linux and the samba user will be deleted with

# pdbedit -x demoUser

Local Group Management

  • To create a demoGroup group:
# groupadd demoGroup
  • To add the demoUser account to the group:
# usermod -aG demoGroup demoUser



Creating the Shared Directories

To create the shares directories:

# mkdir -p /srv/samba/guest/
# mkdir -p /srv/samba/demo/

If you are using (enforcing) SElinux, samba access to these locations might be denied, unless:

# semanage fcontext -a -t samba_share_t "/srv/samba/guest(/.*)?"
# restorecon -Rv /srv/samba/guest/

and

# semanage fcontext -a -t samba_share_t "/srv/samba/demo(/.*)?"
# restorecon -Rv /srv/samba/demo/

Setting ACLs on the Shared Directories

Set the following POSIX permissions:

# chown -R nobody:nogroup /srv/samba/guest/
# chgrp -R demoGroup /srv/samba/demo/

# chmod 2770 /srv/samba/guest/
# chmod 2770 /srv/samba/demo/

This configures write access to members of the demoGroup group in both directories. Other users have read access in the /srv/samba/guest/ and no access in the /srv/samba/demo/ directory. The SGID bit - represented by the first bit (2) in the mode set on the directories - inherits the group of the parent directory instead setting it to the users primary group when new files are created.

For further information, see Setting up a Share Using POSIX ACLs.



Verifying the Samba configuration

You should verify the Samba configuration every time the /etc/samba/smb.conf file is updated by using the testparm utility

You can simply execute it as follows:

# testparm -s

Sample output:

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions
...

If any errors are shown (you can ignore deprecation warnings), fix them before proceeding.



Starting Samba

Start the smbd daemon:

# smbd

Samba does not include start scripts. See your distribution's documentation how further information how to automatically start a service at boot time.



Testing the Share Access

  • Access the demo share as user demoUser:
# smbclient -U demoUser //SA/demo
Enter demoUser's password: Passw0rd
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z]
smb: \> ls
  .                                   D        0  Sun Jan  3 21:00:00 2016
  ..                                  D        0  Sun Jan  3 19:00:00 2016
  demo.txt                            A        0  Sun Jan  3 21:00:00 2016

		9943040 blocks of size 1024. 7987416 blocks available
smb: \> quit
  • Access the demo share as guest. The access is denied:
# smbclient -U guest //SA/demo
Enter guest's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z]
tree connect failed: NT_STATUS_ACCESS_DENIED


.


Advanced share settings

This section describes some advanced share configuration parameters. For further information about the used parameters, see the smb.conf (5) man page.


Using the force Parameters

[demo]
        path = /srv/samba/demo/
        read only = no
        force create mode = 0660
        force directory mode = 2770
        force user = demoUser
        force group = demoGroup

The force create mode and force directory mode parameters force Samba to create new files and folders with the set permissions.

The force user and force group parameters map all connections to the specified user and group. Note that this can cause security problems if all users connecting to a share are mapped to a specific user account or group in the background.


User and Group-based Share Access

See Configuring User and Group-based Share Access.


Host-based Share Access

See Configuring Host-based Share Access.