Thursday, August 11, 2011


So I setup a Samba server running on an Ubuntu headless machine. From the terminal go ahead and install the server portion. You could also install smbclient if you need to.
sudo apt-get install samba
Edit the /etc/samba/smb.conf file in your favorite text editor. Make sure the following two lines are not commented out and have the right values for your network.
 workgroup = MyNetwork
 security = user
Now your linux machine will be visible on the windows workgroup you specified and logging on will be secured by a unix account.

You will need to create linux user accounts on the machine for any user you want to use a samba share under this configuration. Also, you will need to add the users to the samba password database. I assume you can figure out how to create user account and add them to the appropriate groups, but this is how you add and enable those users to the samba password file...
sudo smbpasswd -a username
sudo smbpasswd -e username
This allows you to have a lot of user accounts on the computer but control access using samba instead of the OS only.

Now Create a new share at the bottom of the file, or uncomment any of the examples. Here is an example folder share from the Ubuntu server manual...
    comment = Ubuntu File Server Share
    path = /srv/samba/share
    browsable = yes
    guest ok = yes
    read only = no
    create mask = 0755
comment: a short description of the share. Adjust to fit your needs.

path: the path to the directory to share.

This example uses /srv/samba/sharename because, according to the Filesystem Hierarchy Standard (FHS), /srv is where site-specific data should be served. Technically Samba shares can be placed anywhere on the filesystem as long as the permissions are correct, but adhering to standards is recommended.

browsable: enables Windows clients to browse the shared directory using Windows Explorer.

guest ok: allows clients to connect to the share without supplying a password.

read only: determines if the share is read only or if write privileges are granted. Write privileges are allowed only when the value is no, as is seen in this example. If the value is yes, then access to the share is read only.

create mask: determines the permissions new files will have when created.

Make sure to create the directory that corresponds to this share and set the proper ownership and permissions...
sudo mkdir -p /srv/samba/share
sudo chown /srv/samba/share/
I wanted a couple of different types of shares, so I create the following shares  for my little file server...
  comment = "Shared by all users on this system that are part of the sambashare group"
  path = /path/to/share
  browsable = yes
  guest ok = no
  read only = no
  create mask = 0770
  directory mask = 0770
  force group = @sambashare
  valid users = @sambashare

  comment = "Only accessable by the user named Rick"
  path = /path/to/Rick
  browsable = yes
  guest ok = no
  read only = no
  create mask = 0770
  directory mask = 0770
  force user = rick
  force group = rick
  valid users = rick
This is a nice way to have a shared directory that all valid users on the system can access and a private share for each user on the system. I have no idea if this is a standard way of accomplishing this, but it works really well for us.

The "create mask" and "directory mask" options are used to define the default permissions applied to any new files or directories that the user creates. Likewise, the "force user" and "force group" options determine the ownership of the files and directories. Notice for the first share I left out the "force user" option and set the "force group" option to @sambashare. This is nice because the ownership of any new files or directories are owned by the user that created them.

You can restart the two samba services like so to get started...
sudo restart smbd
sudo restart nmbd
Also, the following command is useful to parse the configuration file and see if there were any problems are suggestions...
testparm /etc/samba/smb.conf

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.