Difference between revisions of "Configure SMB"

From Organic Design wiki
m (Creating Keys)
({{legacy}})
 
(47 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
{{legacy}}
 
{{procedure
 
{{procedure
|description = '''(Incomplete)''' This procedure defines the steps required to set up a shared file directory over the Internet. The share should require authentication and be carried out over a secure connection.
+
|description = The most convenient way for a user to managing their online files is through the standard filing system interface in their local desktop environment, i.e. as a normal file share. Because it's available via the Internet, it needs to be a secure solution. We have two methods of setting up this kind of secure access to users files which are described in this procedure.
 
|role = sysop
 
|role = sysop
 +
|status = in use
 
}}__NOTOC__
 
}}__NOTOC__
  
After doing some research, it seems that the most popular and reliable way of achieving an internet-based file share is using [[w:Samba (software)|Samba]] over a [[w:VPN|Virtual Private Network (VPN)]]. Other solutions such as [[w:WebDav|WebDav]] have turned out to be unreliable and temperamental.
+
Here's an example of our samba configuration format for the '''/etc/samba/smb.conf''' file:
 +
<source>
 +
[global]
 +
workgroup = Foo
 +
server string = Foo server
 +
wins support = yes
  
== OpenVPN ==
+
security = user
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. OpenVPN is a single program that is run on both the server hosting the share, and on the clients which will be accessing it.
+
encrypt passwords = yes
 +
password level = 3
 +
passdb backend = tdbsam
  
=== Server configuration ===
+
invalid users = root daemon bin sys mail sshd bind www-data
First install OpenVPN using '''apt-get install openvpn'''
+
browseable = yes
The first choice in VPN configuration is whether to set it up using a ''bridging'' or ''routing'' methodology. Routing is very scalable and is transparent to the software using the network, but it is much more difficult to configure and maintain. The other option is ''bridging'' which is simpler to configure, but relies upon the software being used withint the network to be able to route host information itself. Since we only require one application (Samba) and it can be configured to route names as a WINS server, we have chosen to use the bridging configuration.
+
writable = yes
*The documentation for how to set it up in a bridging configuration can be found [http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html here].
+
create mask = 0777
*The general setup from which these instructions are derived is [http://openvpn.net/index.php/documentation/howto.html#quick here]
+
directory mask = 0777
  
=== Creating Keys ===
+
[staff]
There's a utility called ''easy-rsa'' in ''/usr/share/doc/openvpn/examples/easy-rsa'' which should be copied to another location (we use ''/etc/openvpn/easy-rsa''. The default values for all certificates generated can be updated in the ''vars'' file. First, configure ''easy-rsa'' with the following shell commands:
+
path = /shared/staff
<pre>
+
comment = Our staff files
cp -pR /usr/share/doc/openvpn/examples/easy-rsa /etc
+
valid users = henry alan tabatha
cd /etc/easy-rsa
+
</source>
mkdir keys
+
*'''password level = 3''' means account ''foo'', ''Foo'' and ''FOO'' are all equivalent user names
. ./vars
+
*'''log level = 4''' can be used to debug authentication and other problems, also directing at a single log file can help (instead of one per user)
./clean-all
+
*'''passdb backend = tdbsam''' means use the basic password backend instead of the older ''smbpasswd'' format or scalable ''ldapsam''
</pre>
+
*'''Note:''' whatever password backend is used, ''smbpasswd'' needs to be run for each user before they can begin accessing shares
  
Next we'll user ''easy-rsa'' to generate a master key, a server key and a couple of client keys (it's more secure for the client keys to be created locally, but we'll get that procedure sorted out another day!). Each of the commands requires a number of questions to be answered which can all be left as their defaults (which were set up in the ''vars'' file above), except for the ''common name'' setting which we'll set to "organicdesign-ca" for the master key, "server" for the server key, and the client name for all the client keys (e.g. "nad-laptop" or "zenia-office" for this example).
+
== Account synchronisation ==
<pre>
+
The main issue with the initial configuration of Samba on the LAN server concerns the users and groups. What is the origin of the user/group information? and how does samba synchronise to it or use it to authenticate? Since all our servers run a wiki we decided to make the wiki the source of the users, passwords and groups information. To do this we instruct the local wiki daemon to set the unix and samba passwords whenever one is changed in the wiki. All this requires is to install the [[Extension:EventPipe|EventPipe extension]] on the server's administration wiki and ensure that it has a [[wikid.pl|wiki daemon]] configured and running.
./build-ca
+
*Later we need to only synchronise accounts that are in a particular wiki group
./build-key-server server
+
*Later we should also allow the shares to be created and configured through FS records
./build-key nad-laptop
 
./build-key zenia-office
 
</pre>
 
Then after all the keys are made we must build the [[w:Diffie-Hellman key exchange|Diffie Hellman key exchange parameters]].
 
./build-dh
 
All the generated key files are in the ''easy-rsa/keys''. All the files having the ''.key'' suffix are secret and should only be communicated over encrypted connections like ''SCP''. The ''ca.crt'' file belongs on the server and all the client machines as well. The files that start with a client name belong on that client machine.
 
  
=== Setting up Ubuntu workstations ===
+
== Next steps ==
First install OpenVPN and the configuration GUI using '''apt-get install openvpn network-manager-openvpn'''. The GUI adds a "VPN Connections" item to the network menu from the system tray which VPN's can be added, removed and configured from.
+
*You may want to [[configure VPN]] remote access to the smb shares
  
=== Setting up on Windows workstations ===
+
== See also ==
On Windows OpenVPN is normally run from the console, which can be a little annoying to have lying on the taskbar all the time. OpenVPN GUI lets you run OpenVPN without this console window. Instead you get an icon in the notification area (the area on the right side of the taskbar) from which you can control OpenVPN to start/stop your VPN tunnels, view the log, change your password and other useful things.
+
*[http://mercury.chem.pitt.edu/~sasha/LinuxFocus/English/March2002/article177.shtml Configuration tutorial]
 
+
*[http://oreilly.com/catalog/samba/chapter/book/ch06_02.html Controlling access to shares]
The simplest setup (and the only one covered here) is if your internet connection is through a normal LAN or Wifi adapter and uses DHCP (i.e. "obtain IP address automatically" is ticked).
+
*[http://oreilly.com/catalog/samba/chapter/book/ch06_03.html Authentication security]
 
+
*[http://oreilly.com/catalog/samba/chapter/book/ch06_04.html Passwords]
After OpenVPN has been installed, you'll notice in network settings that an extra LAN connection has been added. First, right-click it and rename it to "OpenVPN". Then select both the original network connection that you connect to the internet through, and the OpenVPN connection, then right-click and select "Bridge connections" which takes a few seconds to complete. After that's done a new icon will appear in the network list called "Network bridge" or something which you can rename to "OpenVPN Bridge". No more settings are required if your original internet connection used DHCP.
 
 
 
*See [http://openvpn.se OpenVPN GUI for Windows]
 
*[http://www.pavelec.net/adam/openvpn/bridge OpenVPN Bridging with Windows HOWTO]
 

Latest revision as of 21:25, 3 June 2018

Legacy.svg Legacy: This article describes a concept that has been superseded in the course of ongoing development on the Organic Design wiki. Please do not develop this any further or base work on this concept, this is only useful for a historic record of work done. You may find a link to the currently used concept or function in this article, if not you can contact the author to find out what has taken the place of this legacy item.
Procedure.svg Configure SMB
Organic Design procedure

Here's an example of our samba configuration format for the /etc/samba/smb.conf file: 

[global]
	workgroup = Foo
	server string = Foo server
	wins support = yes

	security = user
	encrypt passwords = yes
	password level = 3
	passdb backend = tdbsam

	invalid users = root daemon bin sys mail sshd bind www-data
	browseable = yes
	writable = yes
	create mask = 0777
	directory mask = 0777

[staff]
	path = /shared/staff
	comment = Our staff files
	valid users = henry alan tabatha
  • password level = 3 means account foo, Foo and FOO are all equivalent user names
  • log level = 4 can be used to debug authentication and other problems, also directing at a single log file can help (instead of one per user)
  • passdb backend = tdbsam means use the basic password backend instead of the older smbpasswd format or scalable ldapsam
  • Note: whatever password backend is used, smbpasswd needs to be run for each user before they can begin accessing shares

Account synchronisation

The main issue with the initial configuration of Samba on the LAN server concerns the users and groups. What is the origin of the user/group information? and how does samba synchronise to it or use it to authenticate? Since all our servers run a wiki we decided to make the wiki the source of the users, passwords and groups information. To do this we instruct the local wiki daemon to set the unix and samba passwords whenever one is changed in the wiki. All this requires is to install the EventPipe extension on the server's administration wiki and ensure that it has a wiki daemon configured and running.

  • Later we need to only synchronise accounts that are in a particular wiki group
  • Later we should also allow the shares to be created and configured through FS records

Next steps

See also

Retrieved from "https://organicdesign.nz/wiki/index.php?title=Configure_SMB&oldid=124098"