Tutorial Setting Up Samba (File Sharing Server)

Taken from somewhere but i forgot 😦

Tutorial: Setting Up Samba 3.x

admin – full access to workstation

teacher – almost full access to workstation – minus certain control panel functions

student – lockdown city – no network browsing, no software installation, no control panel

Workstations are joined to the Samba domain and function the same way they would in a Windows server based domain.

I will detail the steps to get a Samba lab up and running plus some caveats you may encounter.

Install Samba

This step is very distribution specific. Make sure you that the version you install is at least version 3.x and not 2.x.

#yum install samba -y

Create Your Base Users And Groups

#groupadd admins
#groupadd teachers
#groupadd students

#useradd -m -s /bin/false -c “Samba Admin” -G admins administrator

#useradd -m -s /bin/false -c “Samba Generic Teacher” -G teachers teacher

#useradd -m -s /bin/false -c “Samba Generic Student” -G students student

#smbpasswd -a administrator
#smbpasswd -a teacher
#smbpasswd -a student

Setup A Basic Config

a. Determine your NETBIOS server name and domain name In my example I use FS1 as the server name and ‘IDOM’ as the domain name. Make sure that neither contains spaces and avoiding any punctuation marks is preferable.

b. Create your share directories and permissions

#mkdir /home/samba
#mkdir /home/samba/netlogon
#mkdir /home/samba/teachers
#mkdir /home/samba/software

#chgrp teachers /home/samba/teachers
#chgrp admins /home/samba/software
#chmod 775 /home/samba/teachers
#chmod 775 /home/samba/software

c. Example config

[global]
netbios name = FS1
workgroup = IDOM
passdb backend = smbpasswd
os level = 33
preferred master = yes
domain master = yes
local master = yes
security = user
domain logons = yes
#logon path = \\%N\profiles\%u
logon path =
#logon drive = H:
#logon home = \\homeserver\%u\winprofile
logon script = logon.bat
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
# username map = /etc/samba/smbusers
admin users = @admins
printer admin = @admins
printing = cups
load printers = yes
printcap name = /etc/printcap
# print command = lp -c -d%p -oraw; rm %s
print command = lpr -l %s
# prevent mp3 files from being stored on the server
veto files = /*.mp3/*.divx/*.eml/

[homes]
comment = Home Directories
valid users = %S
browseable = No
read only = No
create mask = 0640
directory mask = 0750

[netlogon]
path = /home/samba/netlogon
read only = yes
write list = @admins
read list = @admins, @teachers, @students

[profiles]
path = /var/lib/samba/profiles
read only = no
create mask = 0600
directory mask = 0700

[printers]
comment = All Printers
path = /var/tmp
create mask = 0666
printable = Yes
guest ok = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @admins, root
force group = admins
create mask = 0664
directory mask = 0775

[teachers]
comment = Shared area for teachers
path = /home/samba/teachers
valid users = @teachers
read list = @teachers
write list = @teachers
force group = teachers
read only = No
create mask = 0774
directory mask = 0775

[software]
comment = storage area for software and drivers
path = /home/samba/software
valid users = @teachers, @admins
admin users = @admins
read list = @teachers, @admins
write list = @admins
force group = admins
read only = No
create mask = 0774
directory mask = 0775
Mapping Groups

You need to map your unix groups to the domain groups using the ‘net’ command. The ‘net’ command is relatively new to Samba. To view a list of the commands available type ‘net view’ at the console.

net groupmap modify ntgroup=”Domain Admins” unixgroup=admins

net groupmap modify ntgroup=”Domain Users” unixgroup=users

net groupmap add ntgroup=”Teachers” unixgroup=teachers

net groupmap add ntgroup=”Students” unixgroup=students

The Login Script

Setup a login script named ‘logon.bat’ in the /home/samba/netlogon directory. This script MUST be in DOS format meaning that it must have a CRLF at the end of each line as opposed to the Linux LF only way. It is easiest to do the logon script in Notepad and put it in a share on the server, then use the ‘mv’ command to move it to the /home/samba/netlogon dir.

Oddly enough, Microsoft doesn’t include an ‘if member of group’ in the login script processor so you need to download a DOS ‘ifmember.exe’ executable and place it in the netlogon share manually in order to perform mappings based on group membership. You can download it from here . This login script also syncs the workstation time to the server time.

TITLE Domain Login script

net time \\FS1 /set /y

net use h: /home

net use g: \\FS1\apps

:a

%logonserver%\netlogon\ifmember “teachers”

if not errorlevel 1 goto quit

net use f: \\fs1\teachers

goto quit

:quit

Workstation Policies

Policies allow an administrator to ‘lock down’ a workstation. For instance, with policies the adminstrator and teachers can have access on the workstations to change control panel settings and add new programs while students can be denied access to the control panel, display settings, command prompt, etc.

Use ‘poledit.exe’ to create an ‘ntconfig.pol’ permissions file and place it in the \\server\netlogon share. This file will contain the permissions for the ‘Domain Admins’, ‘Teachers’, and ‘Students’ groups. Poledit.exe is available from the NT Resource Kit ( from http://www.microsoft.com ) but in order to support XP workstations, custom control files (called ADM files) need to be downloaded and loaded into the Poledit utility. The custom ADM files can be downloaded from – http://www.snipes.org/admfiles.zip .

Importing Workstations

In order to import the Windows 2000/XP workstations into your new Samba domain, you MUST run add the following registry entries into the workstation. The easiest way is to save the following text as a file called ‘samba.reg’ and then double-click to run it from the workstation.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]

“requiresignorseal”=dword:00000000

After rebooting, right-click on the ‘My Computer’ icon and choose properties. On the resulting screen change the computer from Workgroup to Domain and enter an administrator username and password (ie. a user that is in the ‘Domain Admins’ group). You will be thanked for joining and you will be told to reboot.

Finishing Thoughts

Setting up Samba can be a very interesting adventure but well worth the effort. Once the basics are understood, a new lab can be setup in just a couple of hours and should require very little maintenance. There are many online references for Samba. I suggest going to your closest Samba mirror via http://www.samba.org and looking at the documentation section for further info.

Permission precedence

Samba comes with different types of permissions for share. Try to remember few things about UNIX and Samba permissions.

(a) Linux system permissions take precedence over Samba permissions. For example if a directory does not have Linux write permission, setting samba writeable = Yes (see below) will not allow to write to shared directory / share.

(b) The filesystem permission cannot be take priority over Samba permission. For example if filesystem mounted as readonly setting writeable = Yes will not allow to write to any shared directory or share via samba server.

In short (thanks to Craig [see below in comment section]) :

Limits set by kernel-level access control such as file permissions, file system mount options, ACLs, and SELinux policies cannot be overridden by Samba. Both the kernel and Samba must permit the user to perform an action on a file before that action can occur.

How do I set permissions to Samba shares?

Samba Basic permissions are as follows (configuration file is smb.conf [/etc/samba/smb.conf]):

* read only: This parameter controls whether an user has the ability to create or modify files within a share. This is default.

* guest ok: Uf this parameter is set to yes, the users will have access to the share without

having to enter a password. This can pose security risk.

* writeable: Specifies users should have write access to the share.

You can create the share called helpfiles with read only permission

[helpfiles]
path = /usr/share/docs
read only = Yes

You can create the share called salesdoc with write permission

[salesdoc]
path = /home/shared/sales
writeable = Yes

You can also create a list of users to give write access to the share with write list option. For example allow rocky and tony to write to the share called sales:

[salesdoc]
path = /home/shared/sales
write list = rocky tony

You can use following options

* read list: This option accepts a list of usernames or a group as its value. Users will be given read-only access to the share.

* valid users: You can make a share available to specific users. Usernames or group names can be passed on as its value.

* invalid users: Users or groups listed will be denied access to this share.

Samba mask permission

It is also possible to specify samba default file creation permission using mask.

* create mask: This option is set using an octal value when setting permissions for files.

* directory mask: Directories must have the execute bit for proper access. Default parameter is 0755.

[salesdoc]
path = /home/shared/sales
write list = rocky sys
create mask = 0775

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: