Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Simple guest read, password writable Samba server for a small network
#1

I use Samba on a CentOS 6 server to share files between Windows, Linux and Mac clients. Guest access is allowed to all folders, but is read only, and there are several Samba accounts for writing files to the shares.

 

The purpose of this tutorial is to document, roughly, what my configuration was to set up Samba for sharing a couple of folders on the local network in this way.

 

Install Samba

 



Code:
# yum install samba
# service smb start
# service nmb start
# chkconfig nmb on
# chkconfig smb on




 

Create the sharing directories

 

(In my actual setup, I have used /etc/fstab to mount these directories on separate, large disks, so there's plenty of space. That's beyond the scope of this tutorial, but:

/etc/fstab

UUID=xxxxxxxxx /var/lib/samba/photos ext3 defaults 1 0

UUID=xxxxxxxxx /var/lib/samba/sharedfiles ext3 defaults 1 0

with the real UUIDs substituted in!)

 

Let's create the two directories where our shared files will be stored:

 



Code:
# mkdir /var/lib/samba/photos
# mkdir /var/lib/samba/sharedfiles




 

Add the users and groups

 

In order to support this model of guests having read only access, and granting write access only to known users, we need to have some users and groups set up at the Unix level. The users and groups at the Unix level map to some of the Samba users we will create later.

 

They are separate users -- having a Samba login and password doesn't mean you have to give the user in question shell access, because they are two separate accounts and can have two separate passwords. We simply use the users, as I said, to 'map' the Samba credentials to the Unix permissions on disk.

 

We will also create a group, samba-writers, to allow us to have group write access to the shared folders. I'll add my user account, peter, to this group.

 



Code:
# groupadd samba-writers
# usermod -a -G samba-writers peter




 

Let's set the permissions on our two shared folders for this group:

 



Code:
# chown peter:samba-writers /var/lib/samba/photos
# chown peter:samba-writers /var/lib/samba/sharedfiles
# chmod 775 /var/lib/samba/photos
# chmod 775 /var/lib/samba/sharedfiles




 

Mode '775' on a directory allows the user (peter), the group (samba-writers) to write files, and others (guests) to just read.

 

Now, let's add the mappings between Samba users and Unix users. Open /etc/samba/smbusers using your favourite text editor. I'll use vim throughout this guide.

 



Code:
# vim /etc/samba/smbusers

peter = peter
user1 = user1
user2 = user2




 

The example accounts user1 and user2 will be for our other Samba-enabled accounts.

 

Again, we will create Unix shell accounts for user1 and user2, but use different passwords for SMB and their Unix account, and not share the shell password with the users. They only need and want Samba access, so we won't let them log in to the shell.

 

First, we'll set my password for Samba. A different password from my shell login password.

 



Code:
# smbpasswd -a peter




 

('-a' to add the user for the first time. To change it later, just 'smbpasswd peter')

 

And let's add the other users.

 



Code:
# useradd -G samba-writers -s /sbin/nologin user1
# passwd user1
# smbpasswd -a user1




 

Notice we set the shell to /sbin/nologin. These users, as I've said several times already, we are not allowing shell access.

 



Code:
# useradd -G samba-writers -s /sbin/nologin user2
# passwd user2
# smbpasswd -a user2




 

Set up the configuration files

 

Now that our users are ready for Samba, we need to set up the Samba configuration to share the two folders we've created, and allow the right level of access to users, as well as to guests.

 



Code:
# vim /etc/samba/smb.conf




 

The default CentOS configuration file has quite a lot already in it. Look for the headings, and make these changes:

 

Under Network Related Options:

 



Code:
    workgroup = WORKGROUP
    server string = Server Shared Files

    netbios name = MACHINENAME

    hosts allow = 127. 192.168.0.
    hosts deny = ALL




 

Set WORKGROUP to the workgroup name, if it's configured differently on your Windows clients. (On some older Windows versions, it may need to be MSHOME.)

 

Set MACHINENAME to the name you want the Samba server to have.

 

Finally, we use the 'hosts allow' and 'hosts deny' directives to force Samba only to serve to clients on the local network. In this case, 192.168.0.1 -- 192.168.0.254. You may want to change this to your IP addressing scheme in your network, or remove it to not restrict access to the local network.

 

Under Standalone Server Options:

 



Code:
security = user
passdb backend = tdbsam
map to guest = Bad Password

domain master = yes




 

Under Browser Control Options:

 



Code:
local master = yes
os level = 99
preferred master = yes




 

These directives aren't strictly necessary -- in fact, they may cause conflict if you're doing other Windows networking things on the same workgroup. 'os level = 99', combined with the other options, will force this machine to be the 'local master browser' (LMB) and the 'domain master browser' (DMB).

 

Whichever machine on the network has these roles is responsible for keeping a list of the other machines on the network. Clients use this list to look for other machines that have shared folders available. I've found that forcing my Samba server to be the LMB and DMB, as well as using it as a WINS server, speeds up the time it takes Windows to 'search' for other machines on the network by many many times. (Remember opening 'My Network Places' and clicking 'Show workgroup computers' only to have to wait 15 seconds while Explorer locks up? This avoids that.)

 

In more complex scenarios, you might not want to enable this to avoid conflict. For our small network scenario, it's a useful speed bonus and causes no problems.

 

Under Name Resolution:

 



Code:
wins support = yes




 

Samba becomes a WINS server, which again can help speed things up -- it means you can address other sharing computers by name without waiting for long periods for NetBIOS to resolve the name. (Some more tech info about this, if you're interested.)

 

You may want to configure your Windows machines' 'WINS server' IP address to point to your Samba server to get this benefit. (You might need to configure this in your router's DHCP settings for it to stick to all of them.)

 

Finally, at the bottom of the file, we add our shares:

 



Code:
[sharedfiles]
comment = Shared files for the network
path = /var/lib/samba/sharedstuff
guest ok = yes
writable = no
create mask = 0664
directory mask = 0775
force group = samba-writers
write list = @samba-writers

[Photos]
comment = Shared photos
path = /var/lib/samba/photos
guest ok = yes
writable = no
create mask = 0664
directory mask = 0775
force group = samba-writers
write list = @samba-writers




 

Each folder has its own name in brackets, followed by the options for that folder.

 

We use 'guest ok = yes' to allow guests, but 'writable = no' to make them read only. Anyone in the 'write list' (anyone in the group samba-writers) can write.

 

There are also other settings to set the default permisisons on files ('create mask = 0664', owner read+write, group read+write, others read only) and folders ('directory mask = 0775', owner read+write+enter, group read+write+enter, others read+enter).

 

Once we're done, save that file and quit the editor, and reload Samba:

 



Code:
# service smb restart
# service nmb restart




 

Just make sure your firewall is letting Samba through:

 



Code:
# system-config-firewall-tui




 

And we're ready to test!

 

Accessing the shares

 

Linux

 

Without logging in, we can access the shares by going to smb://machinename (or smb://192.168.0.whatever) in the address bar of the file manager. This works in most file managers.

 

To log in and have write access, you may have luck with a 'Connect to Server' window that lets you type in the username and password, like this one in the Ubuntu 12.04 desktop's File menu.

 

<a class="ipsAttachLink ipsAttachLink_image" href="<fileStore.core_Attachment>/monthly_05_2012/post-1019-0-13574400-1336222085.png" data-fileid="1370">[img]<fileStore.core_Attachment>/monthly_05_2012/post-1019-0-13574400-1336222085_thumb.png[/img]</a>

 

I've had problems with write access this way, though, so you may need to use something like smbfs to mount the share permanently.

 

Mac

 

Under recent versions of Mac OS X, the server should appear right away in the Finder's sidebar. Simply click the server name to see the shares and browse them.

 

For write access, simply click the 'Connect As' button in the window and enter your username and password for SMB that you set up earlier.

 

<a class="ipsAttachLink ipsAttachLink_image" href="<fileStore.core_Attachment>/monthly_05_2012/post-1019-0-30053800-1336222587.png" data-fileid="1371">[img]<fileStore.core_Attachment>/monthly_05_2012/post-1019-0-30053800-1336222587_thumb.png[/img]</a>

 

<a class="ipsAttachLink ipsAttachLink_image" href="<fileStore.core_Attachment>/monthly_05_2012/post-1019-0-26884900-1336222692.png" data-fileid="1372">[img]<fileStore.core_Attachment>/monthly_05_2012/post-1019-0-26884900-1336222692_thumb.png[/img]</a>

 

If you don't see the server in the sidebar, (Lion is more temperamental than Snow Leopard was about this), press ⌘K to bring up the 'Connect to Server' dialogue. Type cifs://machinename or cifs://192.168.0.whatever and click OK to connect.

 

Windows

 

The server should show up in 'Network' for guest access.

 

The best way to log in and have write access, I have found, is to map the shared folder as a network drive. In an Explorer window, click 'Map Network Drive' in the toolbar (it's under the Tools menu on Windows XP and earlier).

 

Choose a drive letter, enter \\machinename\foldername as the path, and make sure you tick to 'Connect using different credentials'.

 

<a class="ipsAttachLink ipsAttachLink_image" href="<fileStore.core_Attachment>/monthly_05_2012/post-1019-0-89993900-1336223125.png" data-fileid="1373">[img]<fileStore.core_Attachment>/monthly_05_2012/post-1019-0-89993900-1336223125_thumb.png[/img]</a>

 

You'll then be asked for the username and password, which is the SMB password you set for the account earlier.

 

<a class="ipsAttachLink ipsAttachLink_image" href="<fileStore.core_Attachment>/monthly_05_2012/post-1019-0-73397800-1336223138.png" data-fileid="1374">[img]<fileStore.core_Attachment>/monthly_05_2012/post-1019-0-73397800-1336223138_thumb.png[/img]</a>



Attached Files
.png   SMB connect.png (Size: 35.98 KB / Downloads: 305)
.png   connect as button.png (Size: 46.24 KB / Downloads: 265)
.png   password entry.png (Size: 34.96 KB / Downloads: 308)
.png   win_map.png (Size: 52.59 KB / Downloads: 273)
.png   win_pw.png (Size: 29.52 KB / Downloads: 301)
Reply
#2
Thanks for this great howto/article hybrid :)Really usefull for once I actually setup my own samba service. Thanks!! :)
Reply
#3

Excellent howto!
One question...

Is it possible to have ONE Linux account, e.g. linuxpeter with linuxpeterpassword and then map it in /etc/samba/smbusers like:

 

linuxpeter = windowspeter, windowsmarry, windowsjoe

 

and to give them (to windowspeter, windowsmarry, windowsjoe) different SAMBA passwords for windows login (peterpass, marrypass, joestrongpass)?

 

(windows* users does NOT exist on LinuxBox - they are SAMBA virtual)

 

Thank you!

Reply
#4

Apparently, it isn't possible to map multiple Samba users to one Unix user while also having separate passwords for the Samba users. [img]<___base_url___>//public/style_emoticons/default/sad.png[/img]

 

 

 

Quote:username map looked like the solution, but isn't; quoting the documentation: "... for user or share mode security, the username map is applied prior to validating the user credentials." Thus AIUI all the users would be required to share a password (that of the user they are mapped to).
 

https://lists.samba.org/archive/samba/20...61335.html

 

Separate accounts and force group works well for me, though. Yes, you have to create the Unix users one time, but they are locked down appropriately with /sbin/nologin as their shell, and any user with the right group membership can access files anyone has dropped in the folder.

Reply
#5
Thank you man! A lot! :)
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)