Setup Samba 3.5.3 In Linux
This is how I setup Samba on my network, it's a small network with 2 user and 3 laptops and 1 desktop as the server. The laptops are running: MS-Windows Vista, MacBook Air with Loin and the last one is MacBook Pro with Leopard. The Desk top is running Linux and it is also hosting the Samba Server.
Most Linuxes has an installer that will download it and install samba for you. Now that it's installed you need to configure it. So you should do some planning on how you are going to set it up and what you are going to share and who is going to access it. If you don't have a firewall you should also have one installed and running. If you don't you can have unwanted user(s)/hacker(s) into your server. I am going to use my setup as example here. I have a firewall that is using iptables but I also used a few other samba commands, I still need to fine tune my firewall. Here is list of shares:
- fileserver -> for application
- drivers -> for system drivers and vbox with os
- video/audio files -> this has mp3 and movies/tvshow
- projects -> this is shared for 1 person
- I could also share a printer, how ever I don't have one.
Now before I get into my configuration file, there is few thing you need to do. The first thing you should do is create a new user group. In this example I called it “me_user”, and add all the users of the samba into this group, in this example the users are “louie and rick”. Now I have my shares in /media/andShareName/. So now you need to be log in as “root” for this next part. You make your directories and then you need to make sure that the file rights are set. So the first one that I made is shareMedia and then Music and eBooks. So I want to be able to copy files from my laptop to the server and vise-verse. Now you need to go to file manager here are some screen shot.
You need to go to the permissions tab
You need to make sure that the “Access Permissions” group is set to “Can View & Modify Contents” and “Ownership” group set to the name of the group “me_user”.
If you don't change this setting you can get write/modify errors.
Now that you have your share right and permissions setup, it's now to get into your configuration file, it will be located in /etc/samba/smb.conf
here is the “Global Settings”.
#================Global Settings ============================
[global]
workgroup = Middle-Earth
netbios name = Rivendell
interfaces = eth0, lo
bind interfaces only = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed*
username map = /etc/samba/smbusers
unix password sync = Yes
hosts allow = 168.1.1., 127. , Rivendell.Middle-Earth
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
# printcap name = CUPS
# show add printer wizard = No
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon home = \\%L\%U
domain logons = Yes
preferred master = Yes
wins support = Yes
utmp = Yes
unix extension = no
map acl inherit = Yes
#cups options = Raw
# logon script = scripts\logon.bat
# logon path = \\%L\profiles\%U
# logon drive = X:
[global]
workgroup = Middle-Earth
netbios name = Rivendell
interfaces = eth0, lo
bind interfaces only = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n *Password*changed*
username map = /etc/samba/smbusers
unix password sync = Yes
hosts allow = 168.1.1., 127. , Rivendell.Middle-Earth
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
# printcap name = CUPS
# show add printer wizard = No
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon home = \\%L\%U
domain logons = Yes
preferred master = Yes
wins support = Yes
utmp = Yes
unix extension = no
map acl inherit = Yes
#cups options = Raw
# logon script = scripts\logon.bat
# logon path = \\%L\profiles\%U
# logon drive = X:
#================End Global Settings ============================
Any lines with “#” and “;” at the start of the line will be ignore.
The “cups” is for printing, and the “logon script, logon path, and logon drive” are used for MS-Windows, because majority of my system are not MS-Windows I decided not to use these options.
hosts allow = 168.1.1., 127. , Rivendell.Middle-Earth
This line will only allow any one on 168.1.1.(???) network to access the samba server. This ip address is known as a “private address” witch is important because none from the internet can access your server. The 127.0.0.0 is know as the localhost (your computer). In short the server will only except connections from your network. But I didn't stop there, I enforced usernames and passwords as well, with these lines “username map = /etc/samba/smbusers” and “unix password sync = Yes”. So this help until I fine tune my firewall. Here is a snip from my log file on some one trying to again access to my server:
======================== log file ===========================
[2011/08/11 15:47:43.298195, 0] lib/access.c:410(check_access)
Denied connection from 12.36.234.124 (12.36.234.124)
[2011/08/11 15:47:43.298253, 1] smbd/process.c:2295(smbd_process)
Connection denied from 12.36.234.124
[2011/08/11 15:47:43.385999, 0] lib/access.c:410(check_access)
[2011/08/11 15:47:43.386039, 0] lib/util_sock.c:1441(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
======================== end of file =========================
So I know that the security is working, but it will be even better when I fine tune my firewall and it will be much more harder to hack into my server.
Now for the shared second of my smb.conf file
#===================== Share Definitions ===========================
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
share modes = no
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
share modes = no
[homes]
comment = Home Directories
browseable = no
read only = no
comment = Home Directories
browseable = no
read only = no
[MUSIC]
path = /media/sharedMedia/Music/
comment = music
valid users = louie rick
read only = no
writable = yes
write list = louie rick
create mask = 0775
path = /media/sharedMedia/Music/
comment = music
valid users = louie rick
read only = no
writable = yes
write list = louie rick
create mask = 0775
[LOUIE'S DOCS]
path = /media/projects/Louie's Docs/
valid users = louie
read only = no
writable = yes
write list = louie
create mask = 0775
# ======================== end of file =========================
path = /media/projects/Louie's Docs/
valid users = louie
read only = no
writable = yes
write list = louie
create mask = 0775
# ======================== end of file =========================
