Applications\Samba and Users
Samba allows file sharing with other network computers. Users of this linux machine require a seperate samba password to access files shared by it. Users can also be grouped for easy identification. If Windows machines are involved in the network, windows will automatically use the current users username and password to access shares from the linux machine. If the passwords and usernames are the same, the file sharing from the linux machine will be secure but the login process will be transparent for the user on the windows machine. Before configuring the file sharing, you must set up users using the following the commands. It is also important to be aware of the terminology.
- linux user
- is a user on the computer
- linux password
- is required for a linux user in order to access the system. If this password does not exist, the user cannot log on directly to the system even though they have an account.
- samba password
- is required for a linux user to be able to access file shares in samba
- creates a linux user group
- modifies users and can add them to groups
- sets a samba password for the linux user
- adds a linux user to the system
In this example my user is wp and a guest user is created called ro. ro will be created, samba passwords will be assigned to both users and both users will be assigned to the group willpowered. The following commands in a terminal will complete the user set up, the smbpasswd command will prompt you to enter a samba password. I suggest using ro for ro's samba password. Setting your own smbpasswd to be your windows password is important for convenience.
$ sudo groupadd willpowered $ sudo usermod -aG willpowered wp $ sudo smbpasswd -a wp $ sudo useradd ro $ sudo usermod -aG willpowered ro $ sudo smbpasswd -a ro
The users have now been fully set up and you are now ready to configure the file shares. The entire samba configuration is based on the /etc/samba/smb.conf file. The default file is full of notes and information but its really an easy thing to comprehend when you know the basics. Ignoring printer sharing, there are two groups of information in a smb.conf file, the [global] information relating to all file shares and the file shares themselves. File shares come in two forms, write and read only.
smb.conf is edited using the following command.
$ sudo nano /etc/samba/smb.conf
You can read all the comments and learn a bit more about samba file sharing but the basics you will need are contained here. First of all remove all content from the file and enter the following at the top of the file.
[global] workgroup = MSHOME server string = Computer security = user interfaces = eth0 bind interfaces only = yes hosts allow = 192.168.1.0/24 hosts deny = 0.0.0.0/0 dns proxy = no invalid users = root mangled names = no log file = /var/log/samba/log.%m syslog = 0 panic action = /usr/share/samba/panic-action %d obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\$ pam password change = yes map to guest = bad user usershare allow guests = yes [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no
Read the following information and alter the global information to suit your purposes.
- The Microsoft workgroup you want your computer to be part of. Default workgroups are WORKGROUP (Vista) and MSHOME (pre-Vista)
- server string
- A description of your server which can be visible from some network clients. The actual server name was defined during install.
- security = user
- This means the security of the shares is based on the users present on the computer. This is important.
- interfaces = eth0
- This limits the Samba network traffic to your defaultly configured ethernet port. You should not need to change this.
- bind interfaces only = yes
- Confirms the above command.
- hosts allow = 192.168.1.0/24
- This restricts allowed hosts to computers on your network. You should change it if your network is not 192.168.1.something based. You can find this out by typing "ifconfig" into a terminal and looking at the output for eth0.
- hosts deny = 0.0.0.0/0
- This reinforces security.
- dns proxy = no
- More security. Obviously remove this line or set it to yes if you know you have a dns proxy involved in your network.
- invalid users = root
- Again more security but you can add other users to this list if you wish.
- mangled names = no
- Disables 8.3 filenames. Basically, if you have a long directory or file name it will be mangled into a shorter format known as 8.3 but this can lead to directory access issues and also makes it impossible to know what you named the file without looking at it in Ubuntu.
Having set the [global] rules, you can now define shares underneath it. If you would like to be able to access your /home partitions (i.e. /home/wp if you are wp) enter the following syntax.
[homes] comment = Home Directories browseable = no valid users = %S write list = %S read only = no create mask = 0750 directory mask = 0750
Now you can define the other shares you would like to set up. As I said earlier there are two kinds, write and read only. Read the following list of syntax first.
- This starts the definition of a share and also is the name of the share itself. In this case the share would be accessible from \\computer\name.
- This is the complete path of the directory you would like to share with the network.
- valid users
- This controls the users which can use this share. You can either enter the names seperated by commas or the group name with an @ sign before it.
- write list/read list
- This controls the actual writing or reading. I normally set it to the same value as the "valid users" syntax.
- read only
- This is the most important command as it sets whether the share is read only or not. If set to no, users can add files to the share, if set to yes they can only copy out of the share.
- create mask = 0750
- This syntax must only be included if the share is "read only = no". The numbers control the permissions of the files, 0750 means that the owner has full control (7) and other group users can read the file but not alter it.
- directory mask = 0750
- Again, this syntax must only be included if the share is "read only = no" and if the above syntax is also present. This time the numbers control the permissions of the directory.
Use the following examples to create your own share or shares.
[writeableDirectory] path = /path/to/directory valid users = wp write list = wp read only = no create mask = 0750 directory mask = 0750
[readOnlyDirectory] path = /path/to/directory valid users = @willpowered read list = @willpowered read only = yes
Save and exit once you are satisfied with the share definitions. Back in the terminal, type "testparm" and press enter. This will test smb.conf to see if it is valid. If it is run the following command to enable your changes.
$ sudo service smbd restart && sudo service nmbd restart
NOTE: it is also important to restart samba if the IP address of the computer changes or if smb.conf is modified whilst samba is running. Check your shares from another computer, make sure you can see them all and that you can write in the ones you are supposed to write in. If you have difficulty with a share try the following commands where directory is the same directory that you entered and wp and willpowered are the appropriate user and group, respectively.
$ sudo chown -R wp:willpowered /directory $ sudo chmod -R 750 /directory