Samba. Whopping goodness. Here are a few notes that help in the setup – from user creation, to directory settings etc
This blog post contains a few lessons learnt and thus by extension a migration plan from a Windows file server to a Samba-based one running on Ubuntu 10.04 LTS. I look at users, system vs smbpasswd user creation and linking (set that up in Webmin before you start, as well as for groups), share setups, general permissions and some very basic troubleshooting (as there weren’t many troubles, just headaches.)
Users
Create the users on your system. Ideally, put them all into the same base group with a
/bin/false
shell or similar (unless you’re allowing login) to allow group-based read-back of files they create. On home shares, just fix permissions to a 0700 or similar to restrict access to their files.
You can create a batch of users using this script – or just use the highlighted line if you’ve already created and linked the users in batch creation before (thanks to Matthew Daubenspeck for the script below)
If you have already batch-created users in webmin or the like, you may need to enable the user (smbpasswd -e USERNAME); otherwise, add them (smbpasswd -a USERNAME)
# cat importusers.sh
#!/bin/bash
datafile=userdata
line_count=`cat $datafile | wc -l`
filesystem="/dev/sda1"
for data in `seq $line_count`
do
read data
username=`echo $data | awk -F" " '{print $1}'`
password=`echo $data | awk -F" " '{print $2}'`
/usr/sbin/adduser -m -s /bin/false -p $password $username
(echo $password; echo $password) | /usr/bin/smbpasswd -s -a $username
/usr/sbin/setquota -u $username 0 1048576 0 0 -a $filesystem
/bin/chmod 700 /home/$username
done < "$datafile"
# cat userdata
user1 password1
user2 password2
etc etc
Listing Users
Listing users is simple, too:
To check the users on the system: getent passwd
To check the groups overview: getent group
Or, to check which users are in a group of name GROUPNAME: apt-get install members followed by members GROUPNAME
Alternatively, to check which groups a user is part of: groups USERNAME
For online password change by the user, install usermin (should just be a dpkg -i usermin if you followed the webmin install script posted elsewhere on this blog)
SAMBA
A basic setting for configuration for a standalone Windows network – your mileage may vary:
[global] log file = /var/log/samba/log.%m load printers = no passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . socket options = SO_KEEPALIVE TCP_NODELAY IPTOS_LOWDELAY obey pam restrictions = yes ntlm auth = yes create mask = 0644 map to guest = bad user domain master = Yes local master = Yes encrypt passwords = yes passwd program = /usr/bin/passwd %u passdb backend = tdbsam wins support = true dns proxy = no netbios name = SERVERNAME server string = %h server (Samba, Ubuntu) unix password sync = yes workgroup = WORKGROUP debug level = 3 os level = 33 directory mask = 0755 syslog = 0 security = user panic action = /usr/share/samba/panic-action %d usershare allow guests = yes max log size = 1000 pam password change = yes
Once you’ve got that in place, you may want to create your shares, similar to the below, and replace SHARE NAME and GROUP NAME as appropriate:
[SHARE NAME] writeable = yes path = /path/to/data force group = GROUPNAME revalidate = yes comment = Comment valid users = @GROUPNAME create mode = 0660 directory mode = 0770
Groupname is the group that has rights to the directory. Important note, even if all works out in
testparm
(which you can use to test the settings and read back status), and you’re still getting access denied errors, and you have enabled, and linked, the users — you may be getting errors like:
- check_ntlm_password: Authentication for user failed with error NT_STATUS_WRONG_PASSWORD
- fcntl_lock: fcntl lock gave errno 11
- failed to find user in passdb backend
- rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
(well put on www.brennan.id.au):
You may have successfully created all of your shares for the Samba server and they may all be publicly accessible to the client workstation, however you may still be getting “Access Denied” errors on your Windows workstation. This normally occurs when the underlying file and directory permissions on the Linux filesystem are not appropriate to what the user has been granted.
The [Shared] section which we declared earlier in our set up has been configured to allow full permissions for everyone to access the shared resource. For Samba to fully support the requirements here, the “/samba/shared” directory must be assigned the directory permissions of 777, the default directory permissions of 755 would not allow all world users to create new files, regardless of the two “mask” declarations.
Similary the [SHARE NAME] section is only available to valid users of the UNIX “GROUPNAME” group and should therefore have the directory permissions of 770 assigned to the “/path/to/data” directory. The group allocation should also be changed with the “chgrp GROUPNAME /path/to/data” command, this allows the valid users to access the resource with the GROUPNAME group permissions.
The incorrect assignment of file and directory permissions are the main reason why “Access Denied” errors occur when accessing the system with a valid user account. You should always confirm what permissions a resource is to be allocated, and ensure the “[section]” and filesystem permissions are assigned correctly.
Also have a look at the Samba documentation and the Ubuntu Community Help.
Oh, and for the rlimit_max error above:
add
* - nofile 16384
to
/etc/security/limits.conf
Your mileage may vary… but you knew that already!
Oh, and to backup, rsync is now your friend again!! 🙂
