Configure SMB

Configure SMB Organic Design procedure

Samba

The main issue with the initial configuration of Samba on the LAN server concerns the users and groups. What is the origin of the user/group information? and how does samba synchronise to it or use it to authenticate? Since all our servers run a wiki we decided to make the wiki the source of the users, passwords and groups information. To do this we instruct the local wiki daemon to set the unix and samba passwords whenever one is changed in the wiki. The wiki user's groups determine the share's valid users and admin users directives.

The following global configuration directives should be set it /etc/smb.conf:

[global]
	workgroup = KIWIGREEN
	server string = Kiwi Green Server
	wins support = yes
	dns proxy = no

	security = user
	encrypt passwords = yes
	password level = 3
	passdb backend = tdbsam
	obey pam restrictions = yes

	invalid users = root daemon bin sys mail sshd bind www-data
	browseable = yes
	writable = yes

[staff]
	path = /shared/staff
	comment = Our staff files
	valid users = henry alan tabatha

Internet access using Samba over VPN

This is basically just a normal Samba installation which is included in the install a new server procedure, but Samba is not a very secure protocol, and so if used to share resources to Internet clients, it must be protected with a VPN and so is probably only the best solution for file sharing if your organisation is already using a VPN to connect remote users into your LAN.

Once a VPN has been set up with the install a new VPN procedure, all the workstations which are connected to the same VPN connection form part of a "virtual LAN" and they can all publish and use resources shared in that LAN such as shared directories, printers and services. They all show up in the normal "network places" or equivalent even though the hosts can be located in diverse locations around the internet, and all these connections are encrypted and secure.

• To ensure that Samba ports are only exposed to the private VPN side, set the interfaces directive in /etc/samba/smbd.conf to tun0.

Internet access using SFTP

The first method is SFTP which uses existing SSH protocol to transfer files, and the workstations can map this connectivity in to the file system like a normal file share.

• Don't forget that additional users created with adduser' also need to be added to AllowedUsers in /etc/ssh/sshd_config
• We really need to upgrade to openssh-server 4.8 for the chroot-jail option
• Another OpenSSH4.9 chroot example
• Chroot jail with OpenSSH5.0+

Setting up access for Ubuntu workstations

On Ubuntu, SFTP integration with the file system is a standard feature, simply go in to Places/Connect to server, select SSH, fill in the authentication details and the resource will be mounted as usual.

See also

• Configuration tutorial
• Controlling access to shares
• Authentication security
• Passwords