Samba service

From Nix-Pro
Jump to: navigation, search

Configuration settings explanation

Authentication Settings

Security LVL

In user-level security, the client sends a session setup request directly following protocol negotiation. This request provides a username and password. The server can either accept or reject that username/password combination. At this stage the server has no idea what share the client will eventually try to connect to, so it can't base the accept/reject on anything other than:

  • the username/password.
  • the name of the client machine.

If the server accepts the username/password credentials, the client expects to be able to mount shares (using a tree connection) without further specifying a password. It expects that all access rights will be as the username/password credentials set that was specified in the initial session setup.

It is also possible for a client to send multiple session setup requests. When the server responds, it gives the client a uid to use as an authentication tag for that username/password. The client can maintain multiple authentication contexts in this way (WinDD is an example of an application that does this).

Windows networking user account names are case-insensitive, meaning that upper-case and lower-case characters in the account name are considered equivalent. They are said to be case-preserving, but not case significant. Windows and LanManager systems previous to Windows NT version 3.10 have case-insensitive passwords that were not necessarily case-preserving. All Windows NT family systems treat passwords as case-preserving and case-sensitive. Example Configuration

The smb.conf parameter that sets user-level security is:

security = user

This is the default setting since Samba-2.2.x. See User Level Security Samba Documentation for additional details

Configuration file example

  • smb.conf sample:
#======================= Global Settings =======================

[global]
# Change this to the workgroup/NT-domain name your Samba server will part of
    workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
    server string = %h server (Samba, Ubuntu)
    
    netbios name = SMBSERVER

#======================= Logging Settings ======================

# This tells Samba to use a separate log file for each machine
# that connects
    log file = /var/log/samba/log.%m

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
    syslog = 0

# max 50KB per log file, then rotate
    max log size = 250

# Do something sensible when Samba crashes: mail the admin a backtrace
    panic action = /usr/share/samba/panic-action %d

#====================== Networking Settings =====================
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
   interfaces = eth1
   hosts allow = 192.168.1.

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
   bind interfaces only = yes

#==================== Authentication Settings ===================

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
   encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad user

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================
[public]
    comment = Public
    path = /public
    browseable = yes
    public = yes
    read only = yes
    writeable = yes

[secure]
    comment = Secure
    path = /secure
    guest ok = no
    writable = yes
    browsable = yes
    valid users = @smbgrp

Create necessary users/groups

To access secure share you need to create appropriate group and add users to it.

  • Create group
sudo addgroup smbgrp
  • Create user
useradd john
  • Add user john to smbgrp group
 adduser john smbgrp
  • Update john Unix user password
 passwd john
  • Update john Samba user password
sudo smbpasswd -a john
  • Change permission of secure share
chgrp -R smbgrp /secure
chmod -r g+rwx  /secure