Difference between revisions of "Configure SMB"
From Organic Design wiki
m (→Server configuration) |
({{legacy}}) |
||
(42 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
+ | {{legacy}} | ||
{{procedure | {{procedure | ||
− | |description = | + | |description = The most convenient way for a user to managing their online files is through the standard filing system interface in their local desktop environment, i.e. as a normal file share. Because it's available via the Internet, it needs to be a secure solution. We have two methods of setting up this kind of secure access to users files which are described in this procedure. |
|role = sysop | |role = sysop | ||
+ | |status = in use | ||
}}__NOTOC__ | }}__NOTOC__ | ||
− | + | Here's an example of our samba configuration format for the '''/etc/samba/smb.conf''' file: | |
+ | <source> | ||
+ | [global] | ||
+ | workgroup = Foo | ||
+ | server string = Foo server | ||
+ | wins support = yes | ||
− | == | + | security = user |
− | + | encrypt passwords = yes | |
+ | password level = 3 | ||
+ | passdb backend = tdbsam | ||
− | = | + | invalid users = root daemon bin sys mail sshd bind www-data |
− | + | browseable = yes | |
− | + | writable = yes | |
− | + | create mask = 0777 | |
− | + | directory mask = 0777 | |
− | |||
− | |||
− | + | [staff] | |
− | * | + | path = /shared/staff |
− | + | comment = Our staff files | |
+ | valid users = henry alan tabatha | ||
+ | </source> | ||
+ | *'''password level = 3''' means account ''foo'', ''Foo'' and ''FOO'' are all equivalent user names | ||
+ | *'''log level = 4''' can be used to debug authentication and other problems, also directing at a single log file can help (instead of one per user) | ||
+ | *'''passdb backend = tdbsam''' means use the basic password backend instead of the older ''smbpasswd'' format or scalable ''ldapsam'' | ||
+ | *'''Note:''' whatever password backend is used, ''smbpasswd'' needs to be run for each user before they can begin accessing shares | ||
− | == | + | == Account synchronisation == |
− | + | The main issue with the initial configuration of Samba on the LAN server concerns the users and groups. What is the origin of the user/group information? and how does samba synchronise to it or use it to authenticate? Since all our servers run a wiki we decided to make the wiki the source of the users, passwords and groups information. To do this we instruct the local wiki daemon to set the unix and samba passwords whenever one is changed in the wiki. All this requires is to install the [[Extension:EventPipe|EventPipe extension]] on the server's administration wiki and ensure that it has a [[wikid.pl|wiki daemon]] configured and running. | |
− | + | *Later we need to only synchronise accounts that are in a particular wiki group | |
− | + | *Later we should also allow the shares to be created and configured through FS records | |
− | |||
− | |||
− | . . | ||
− | |||
− | |||
− | + | == Next steps == | |
− | + | *You may want to [[configure VPN]] remote access to the smb shares | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | == | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== See also == | == See also == | ||
− | *[http:// | + | *[http://mercury.chem.pitt.edu/~sasha/LinuxFocus/English/March2002/article177.shtml Configuration tutorial] |
+ | *[http://oreilly.com/catalog/samba/chapter/book/ch06_02.html Controlling access to shares] | ||
+ | *[http://oreilly.com/catalog/samba/chapter/book/ch06_03.html Authentication security] | ||
+ | *[http://oreilly.com/catalog/samba/chapter/book/ch06_04.html Passwords] |
Latest revision as of 21:25, 3 June 2018
Configure SMB Organic Design procedure |
Here's an example of our samba configuration format for the /etc/samba/smb.conf file:
[global]
workgroup = Foo
server string = Foo server
wins support = yes
security = user
encrypt passwords = yes
password level = 3
passdb backend = tdbsam
invalid users = root daemon bin sys mail sshd bind www-data
browseable = yes
writable = yes
create mask = 0777
directory mask = 0777
[staff]
path = /shared/staff
comment = Our staff files
valid users = henry alan tabatha
- password level = 3 means account foo, Foo and FOO are all equivalent user names
- log level = 4 can be used to debug authentication and other problems, also directing at a single log file can help (instead of one per user)
- passdb backend = tdbsam means use the basic password backend instead of the older smbpasswd format or scalable ldapsam
- Note: whatever password backend is used, smbpasswd needs to be run for each user before they can begin accessing shares
Account synchronisation
The main issue with the initial configuration of Samba on the LAN server concerns the users and groups. What is the origin of the user/group information? and how does samba synchronise to it or use it to authenticate? Since all our servers run a wiki we decided to make the wiki the source of the users, passwords and groups information. To do this we instruct the local wiki daemon to set the unix and samba passwords whenever one is changed in the wiki. All this requires is to install the EventPipe extension on the server's administration wiki and ensure that it has a wiki daemon configured and running.
- Later we need to only synchronise accounts that are in a particular wiki group
- Later we should also allow the shares to be created and configured through FS records
Next steps
- You may want to configure VPN remote access to the smb shares