Difference between revisions of "Configure SMB"
m (moved Creating an internet file share to Configure file sharing) |
(Samba) |
||
| Line 5: | Line 5: | ||
}}__NOTOC__ | }}__NOTOC__ | ||
| − | == SFTP == | + | == Samba == |
| + | The main issue with the initial configuration of Samba on the LAN server concerns the users and groups. What is the origin of the user/group information? and how does samba synchronise to it or use it to authenticate? Since all our servers run a wiki we decided to make the wiki the source of the users, passwords and groups information. To do this we instruct the local wiki daemon to set the unix and samba passwords whenever one is changed in the wiki. The wiki user's groups determine the share's ''valid users'' and ''admin users'' directives. | ||
| + | |||
| + | == Internet access using Samba over VPN == | ||
| + | This is basically just a normal Samba installation which is included in the [[install a new server]] procedure, but Samba is not a very secure protocol, and so if used to share resources to Internet clients, it must be protected with a [[w:VPN|VPN]] and so is probably only the best solution for file sharing if your organisation is already using a VPN to connect remote users into your LAN. | ||
| + | |||
| + | Once a [[w:VPN|VPN]] has been set up with the [[install a new VPN]] procedure, all the workstations which are connected to the same VPN connection form part of a "virtual LAN" and they can all publish and use resources shared in that LAN such as shared directories, printers and services. They all show up in the normal "network places" or equivalent even though the hosts can be located in diverse locations around the internet, and all these connections are encrypted and secure. | ||
| + | *To ensure that Samba ports are only exposed to the private VPN side, set the ''interfaces'' directive in ''/etc/samba/smbd.conf'' to ''tun0''. | ||
| + | |||
| + | == Internet access using SFTP == | ||
The first method is [[w:SFTP|SFTP]] which uses existing [[w:SSH|SSH]] protocol to transfer files, and the workstations can map this connectivity in to the file system like a normal file share. | The first method is [[w:SFTP|SFTP]] which uses existing [[w:SSH|SSH]] protocol to transfer files, and the workstations can map this connectivity in to the file system like a normal file share. | ||
*Don't forget that additional users created with ''adduser''' also need to be added to ''AllowedUsers'' in ''/etc/ssh/sshd_config'' | *Don't forget that additional users created with ''adduser''' also need to be added to ''AllowedUsers'' in ''/etc/ssh/sshd_config'' | ||
| Line 15: | Line 24: | ||
On Ubuntu, SFTP integration with the file system is a standard feature, simply go in to ''Places/Connect to server'', select ''SSH'', fill in the authentication details and the resource will be mounted as usual. | On Ubuntu, SFTP integration with the file system is a standard feature, simply go in to ''Places/Connect to server'', select ''SSH'', fill in the authentication details and the resource will be mounted as usual. | ||
| − | === | + | == See also == |
| − | + | *[http://oreilly.com/catalog/samba/chapter/book/ch06_02.html Controlling access to shares] | |
| − | * | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 11:08, 23 May 2009
|
Configure SMB Organic Design procedure |
Samba
The main issue with the initial configuration of Samba on the LAN server concerns the users and groups. What is the origin of the user/group information? and how does samba synchronise to it or use it to authenticate? Since all our servers run a wiki we decided to make the wiki the source of the users, passwords and groups information. To do this we instruct the local wiki daemon to set the unix and samba passwords whenever one is changed in the wiki. The wiki user's groups determine the share's valid users and admin users directives.
Internet access using Samba over VPN
This is basically just a normal Samba installation which is included in the install a new server procedure, but Samba is not a very secure protocol, and so if used to share resources to Internet clients, it must be protected with a VPN and so is probably only the best solution for file sharing if your organisation is already using a VPN to connect remote users into your LAN.
Once a VPN has been set up with the install a new VPN procedure, all the workstations which are connected to the same VPN connection form part of a "virtual LAN" and they can all publish and use resources shared in that LAN such as shared directories, printers and services. They all show up in the normal "network places" or equivalent even though the hosts can be located in diverse locations around the internet, and all these connections are encrypted and secure.
- To ensure that Samba ports are only exposed to the private VPN side, set the interfaces directive in /etc/samba/smbd.conf to tun0.
Internet access using SFTP
The first method is SFTP which uses existing SSH protocol to transfer files, and the workstations can map this connectivity in to the file system like a normal file share.
- Don't forget that additional users created with adduser' also need to be added to AllowedUsers in /etc/ssh/sshd_config
- We really need to upgrade to openssh-server 4.8 for the chroot-jail option
- Another OpenSSH4.9 chroot example
- Chroot jail with OpenSSH5.0+
Setting up access for Ubuntu workstations
On Ubuntu, SFTP integration with the file system is a standard feature, simply go in to Places/Connect to server, select SSH, fill in the authentication details and the resource will be mounted as usual.
.jpg){kind=link}
