Difference between revisions of "Configure SMB"

From Organic Design wiki
m (Samba)
(Samba: notes)
Line 14: Line 14:
 
server string = Foo server
 
server string = Foo server
 
wins support = yes
 
wins support = yes
dns proxy = no
 
  
 
security = user
 
security = user
Line 20: Line 19:
 
password level = 3
 
password level = 3
 
passdb backend = tdbsam
 
passdb backend = tdbsam
obey pam restrictions = yes
 
  
 
invalid users = root daemon bin sys mail sshd bind www-data
 
invalid users = root daemon bin sys mail sshd bind www-data
Line 32: Line 30:
  
 
</pre>}}
 
</pre>}}
 +
*'''password level = 3''' means account ''foo'', ''Foo'' and ''FOO'' are all equivalent user names
 +
*'''passdb backend = tdbsam''' means use the basic password backend instead of the older ''smbpasswd'' format or scalable ''ldapsam''
  
 
== Internet access using Samba over VPN ==
 
== Internet access using Samba over VPN ==

Revision as of 06:30, 27 May 2009

Procedure.svg Configure SMB
Organic Design procedure

Samba

The main issue with the initial configuration of Samba on the LAN server concerns the users and groups. What is the origin of the user/group information? and how does samba synchronise to it or use it to authenticate? Since all our servers run a wiki we decided to make the wiki the source of the users, passwords and groups information. To do this we instruct the local wiki daemon to set the unix and samba passwords whenever one is changed in the wiki. The wiki user's groups determine the share's valid users and admin users directives.

The following global configuration directives should be set it /etc/smb.conf:

[global]
	workgroup = Foo
	server string = Foo server
	wins support = yes

	security = user
	encrypt passwords = yes
	password level = 3
	passdb backend = tdbsam

	invalid users = root daemon bin sys mail sshd bind www-data
	browseable = yes
	writable = yes

[staff]
	path = /shared/staff
	comment = Our staff files
	valid users = henry alan tabatha

  • password level = 3 means account foo, Foo and FOO are all equivalent user names
  • passdb backend = tdbsam means use the basic password backend instead of the older smbpasswd format or scalable ldapsam

Internet access using Samba over VPN

This is basically just a normal Samba installation which is included in the install a new server procedure, but Samba is not a very secure protocol, and so if used to share resources to Internet clients, it must be protected with a VPN and so is probably only the best solution for file sharing if your organisation is already using a VPN to connect remote users into your LAN.

Once a VPN has been set up with the install a new VPN procedure, all the workstations which are connected to the same VPN connection form part of a "virtual LAN" and they can all publish and use resources shared in that LAN such as shared directories, printers and services. They all show up in the normal "network places" or equivalent even though the hosts can be located in diverse locations around the internet, and all these connections are encrypted and secure.

  • To ensure that Samba ports are only exposed to the private VPN side, set the interfaces directive in /etc/samba/smbd.conf to tun0.

Internet access using SFTP

The first method is SFTP which uses existing SSH protocol to transfer files, and the workstations can map this connectivity in to the file system like a normal file share.

Setting up access for Ubuntu workstations

On Ubuntu, SFTP integration with the file system is a standard feature, simply go in to Places/Connect to server, select SSH, fill in the authentication details and the resource will be mounted as usual.

See also