Samba Server can be used for
connecting to a Linux host from a windows system. In other words, a Linux
Server can be made a central repository for holding windows users data. Windows
users can connect to the Linux Samba server using the the samba protocol.
Most Linux distribution comes with
samba already installed. This deployment is tested on Fedora core 7 Linux.
Samba is installed at /etc/samba directory.
We will take the already existing
Linux users in /etc/passwd file for authentication. If a windows users is to be
connected to samba then add that windows user to the Linux users
using useradd command:
# useradd <windows username>
#
passwd <windows username
Configuration file smb.conf
Samba configuration file is
located at /etc/samba/smb.conf.
Edit this file for following:
[global]
Workgroup = SAMBAWORKGROUP
The “SAMBAWORKGROUP” is the name
with which the Linux samba server will be displayed in the Network
Neighbourhood > workgroup computers in
a windows system.
Interfaces = lo eth0 127.0.0.1
netbios name = < Linux samba server name>
Hosts allow =
192.168.10.0/255.255.255.0
encrypt password = yes
smb passwd file =
/etc/samba/smbpasswd
Interfaces is the list of
interfaces at which the Linux samba server will listen. Hosts allow contains
the list of individual hosts and/or networks. Above we have defined a network
of 192.168.10.0/255.255.255.0 to have access to Linux samba server. Thus Linux
samba server would only match first three groups ie. 192 , 168, 10 for access .
Last group 0 can be anything. Thus any system with 192.168.10 ip ( last bit can
be anything, it does not matter) can have access to samba server( can connect
to samba server). Thus masking value(here it is 24) plays important role.
#
-------------------------Standalone server
options-----------------------------------------
Security = user
Passdb backend = tdbsam
--------------------------------------------------------------------------------------------------
#----------------------Share
Definitions---------------------------------------------------
[USERS]
comment = individual user
folders
path = /Accounts
browseable = yes
writable = yes
read only = no
valid users = @Domainusers
valid users can be individual
samba users as well as Linux groups. Above we have defined Linux group as “
Domainuser” which consists of all the samba users who can connect to samba server.
This makes easier else we would have to define each user in case the samba user list is too huge (say 500 or
thousand users). In that case we can create a Linux group and add the existing
samba users in that group and define that group in the valid users option.
This finishes the samba
configuration.
Note: “USERS” is the name which will be displayed when anyone connects to the sambe server i.e
//192.168.10.22
Start > Run >
//192.168.10.222
It will ask for credentials to log
onto samba server. Thus any of the samba users created on Linux samba server
can log with their username & password. Under the “ USERS” icon each
corresponding samba user’s folder will be displayed. But access to the each
user’s respective folder is available.
Creating Samba Users
In the example below we have
created samba users as the existing users on Linux in the /etc/passwd file.
Password for samba users can be
the same as the existing Linux password in /etc/passwd. Also samba passwords
can be changed with following command:
# smbpasswd -a
<username>
The above method of creating samba
user is only valid if the <username> specified above is already existing
in /etc/passwd file.
It will ask for password and then
add the user. Hence samba user is created.
Encrypt samba passwords
The /etc/samba/smbpasswd file
is the Samba encrypted password file. It contains the username; Unix UID and
SMB hashed passwords of the allowed users to your Samba server, as well as
account flag information and the time the password was last changed. It's
important to create this password file and include all allowed users to it
before your clients try to connect to your Samba server. Without this step, no
one will be able to connect to your Samba server. Once we have added all samba users to the /etc/passwd file on the Linux server we can now generate the smbpasswd file from the /etc/passwd file. To generate smbpasswd file from the /etc/passwd file, use the following commands:
# cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
Don't forget to change the permission of your new smbpasswd file to be readable and writable only by the super-user root and no one else.This is just for security measures.
# chmod 600 /etc/samba/smbpasswd
Now what we do is create a
directory called “Accounts” in /.
# mkdir /Accounts
# cd /Accounts
# mkdir
{chandan,amit,anurag,ram,sam}
We have created the new
directories in /Accounts with respective samba user’s name so that each samba
user will have access to only his directory (specified with his name).
Thus when samba users will log on
to the sambe server, they will be able to see each samba user directory with
their own names but can access only their respective directories.
Permissions & Access control
The /Accounts directory has 755 permissions and has ownership as root
with group as root. Users directories inside the /Accounts have 770
permissions.
Change the ownership of each user’s
directory to be as:
Owner: root
Group: respective user
# chown -R
root:chandan chandan
Would change the owner as “root”
and group as “chandan” for the directory chandan in /Accounts
# cd /Accounts
#
ls -al
should output
drwxrwx--- 2
root administrator 4096
1999-12-07 06:19 administrator
drwxrwx--- 2
root chandan
4096
1999-12-07 06:19 chandan
drwxrwx--- 2
root amit 4096
1999-12-07 06:19 amit
drwxrwx--- 2
root ram 4096 1999-12-07 06:19
ram
drwxrwx--- 2
root sam 4096 1999-12-07 06:19
sam
Note the permissions in the
/Accounts directory. Each user directory is owned by root and respective user
and permissions are set as rwxrwx--- for root & group (i.e 770). This is
the reason why only each user is able to access only his directory because he
has read,write & execute permissions as specified by 770 permissions.
Morever root also has access to each user’s directory as he is the sole owner
of everything.
Next we create a group called
“Domainusers” on Linux samba server.
# groupadd Domainusers
And then add the samba users to
the “Domainusers” Group.
# usermod -G
Domainusers chandan
This will add the samba user
“chandan” to the supplementary group “Domainusers”. Thus add all the samba
users to the new group and reflect this in the smb.conf file (valid users =
@Domainusers). Hence only those users who are included in the “Domainusers”
group have access to samba server.
********************************************************************
Note : When connecting from windows to a samba share
, there can be two possibilities.
- Both the windows logon and samba logon are different
- Both the windows logon & samba logon are same.
In the first case, after logging
on to your windows system with windows logon, whenever you logon to samba
server, it will ask you for your samba username & password each time you
logon after you log off from windows.
In the second case since your
windows logon & samba logon are same, once you logon to samba server with
either windows logon or samba logon (both are same), it won’t ask you for username & password again after you log off
(or even reboot) and login back again because you first login to windows
with windows logon (which is same as samba logon) and here only it (samba)
authenticates your windows logon as successful since your windows logon is same
as samba logon.
Hence it is better to have
different windows logon & samba logon since it (Samba) will ask you for
username & password (samba login credentials) each time you logon to samba
server after you login to windows system and then connect to samba server.
No comments:
Post a Comment