Difference between revisions of "Configure SMB"

Configure SMB Organic Design procedure

Samba

Here's an example of our samba configuration format for the /etc/samba/smb.conf file:

[global]
	workgroup = Foo
	server string = Foo server
	wins support = yes

	security = user
	encrypt passwords = yes
	password level = 3
	passdb backend = tdbsam

	invalid users = root daemon bin sys mail sshd bind www-data
	browseable = yes
	writable = yes

[staff]
	path = /shared/staff
	comment = Our staff files
	valid users = henry alan tabatha

• password level = 3 means account foo, Foo and FOO are all equivalent user names
• log level = 4 can be used to debug authentication and other problems, also directing at a single log file can help (instead of one per user)
• passdb backend = tdbsam means use the basic password backend instead of the older smbpasswd format or scalable ldapsam
• Note: whatever password backend is used, smbpasswd needs to be run for each user before they can begin accessing shares

Account synchronisation

The main issue with the initial configuration of Samba on the LAN server concerns the users and groups. What is the origin of the user/group information? and how does samba synchronise to it or use it to authenticate? Since all our servers run a wiki we decided to make the wiki the source of the users, passwords and groups information. To do this we instruct the local wiki daemon to set the unix and samba passwords whenever one is changed in the wiki. All this requires is to install the EventPipe extension on the server's administration wiki and ensure that it has a wiki daemon configured and running.

• Later we need to only synchronise accounts that are in a particular wiki group
• Later we should also allow the shares to be created and configured through FS records

Internet access using Samba over VPN

This is basically just a normal Samba installation which is included in the install a new server procedure, but Samba is not a very secure protocol, and so if used to share resources to Internet clients, it must be protected with a VPN and so is probably only the best solution for file sharing if your organisation is already using a VPN to connect remote users into your LAN.

Once a VPN has been set up with the install a new VPN procedure, all the workstations which are connected to the same VPN connection form part of a "virtual LAN" and they can all publish and use resources shared in that LAN such as shared directories, printers and services. They all show up in the normal "network places" or equivalent even though the hosts can be located in diverse locations around the internet, and all these connections are encrypted and secure.

• To ensure that Samba ports are only exposed to the private VPN side, set the interfaces directive in /etc/samba/smbd.conf to tun0.

Internet access using SFTP

The first method is SFTP which uses existing SSH protocol to transfer files, and the workstations can map this connectivity in to the file system like a normal file share.

• Don't forget that additional users created with adduser' also need to be added to AllowedUsers in /etc/ssh/sshd_config
• We really need to upgrade to openssh-server 4.8 for the chroot-jail option
• Another OpenSSH4.9 chroot example
• Chroot jail with OpenSSH5.0+

Setting up access for Ubuntu workstations

On Ubuntu, SFTP integration with the file system is a standard feature, simply go in to Places/Connect to server, select SSH, fill in the authentication details and the resource will be mounted as usual.

See also

• Configuration tutorial
• Controlling access to shares
• Authentication security
• Passwords