Skip to content
Snippets Groups Projects
Commit c5915e76 authored by Paolino Paperino's avatar Paolino Paperino
Browse files

2017-10-19: FG; Added Samba server configuration.

parent 53b2ed4c
No related branches found
No related tags found
No related merge requests found
Configure Samba server
======================
You have a Linux box `linuxhost` which you want to configure as a Samba server
for a Windows box `windowshost`.
.. warning:: For security reasons, your boxes should allow the Samba protocol only on a
(dedicated) private network. And/Or make sure `iptables` on `linuxhost` restricts
traffic to ports 139 and 445 only to `windowshost`.
What we aim to achieve
----------------------
The Linux box acts as a Samba server to the Windows box.
Two users, `smbrw` and `smbro` are allowed to connect, no guest access.
Two paths are served:
- `/home/pathRO`, visible in Windows as `datain`, with read-only access to everyone
- `/home/pathRW`, visible in Windows as `dataout`, with read-write access to user
`smbrw` and read-only access to user `smbro`
Configuration: pre-requisite
----------------------------
All following commands are to be executed on the Linux box.
Install the required packages::
$ apt-get install samba samba-common python-glade2 system-config-samba
Create Unix users. Since these users will be solely used by Samba, they do
not need to be able to connect directly to Linux, hence we make them non-interactive
by setting the shell to `/bin/false`::
$ addgroup smbgrp
$ adduser smbrw --shell /bin/false --ingroup smbgrp
$ adduser smbro --shell /bin/false --ingroup smbgrp
Make sure the paths being served exist and have the right privileges.
We omit the part relevant to the read-only path, but since such path most probably
already exists, you only need to make sure it is world-readable::
$ mkdir /home/pathRW
$ chown -R smbrw.smbgrp /home/pathRW
Create a path which will be referenced in the `smb.conf` file::
$ mkdir /etc/samba/private/
Restrict access to this server, via iptables. We assume package `iptables-persistent`
has been previously installed, so we just need to add these lines in file
`/etc/iptables/rules.v4`::
# Samba
-A INPUT -s <IP_of_windowshost>/32 -p tcp -m state --state NEW -m tcp -m multiport --dports 139,445 -j ACCEPT
Restart `iptables`::
$ service iptables-persistent restart
Configuration: Samba
--------------------
Create file `/etc/samba/smb.conf` with content similar to:
::
#
# Inspired by:
# - http://guide.debianizzati.org/index.php/SAMBA:_configurazione_lato_server
# - https://www.howtoforge.com/samba-server-ubuntu-14.04-lts
# - https://www.samba.org/samba/docs/using_samba/ch09.html
#
[global]
workgroup = WORKGROUP
server string = Samba Server test %v
netbios name = server test
security = user
map to guest = bad user
dns proxy = no
username map = /etc/samba/private/utenti.map
smb passwd file = /etc/samba/private/smbpasswd
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
#============================ Share Definitions ==============================
# [Anonymous]
# path = /home/anonymous
# browsable =yes
# writable = yes
# guest ok = yes
# read only = no
[datain]
path = /home/pathRO
comment = Read-only FS
valid users = smbrw, smbro
read only = yes
[dataout]
path = /home/pathRW
comment = Read-write FS
valid users = smbrw, smbro
read only = no
write list = smbrw
read list = smbro
directory mask = 0755
create mask = 0644
If you really want some form of anonymous access, consider editing the section `Anonymous`
in the example above.
Check the configuration file is OK::
$ testparm
Create Samba passwords for your users::
$ smbpasswd -a smbrw
$ smbpasswd -a smbro
Verify
------
On `linuxhost`::
$ smbclient -L localhost
On `windowshost` open `File Explorer` and try to connect to::
\\<IP_of_linuxhost\
a pop-up should appear asking you credentials for connection.
If you want to also test the second account, open a command prompt and
execute::
$ net use
$ net use \\<IP_of_linuxhost>\<network_path> /del
or more simply::
$ net use * /del
then go back to `File Explorer` and connect again.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment