Fileserver on SOHO LAN

From openSUSE

HowTo Configure Shares on a Linux File Server in a SOHO LAN

Author: [Swerdna]

Introduction: The Official Samba-3 [Howto and Reference Guide] has about 1000 pages and the section on the man pages for the Samba config file takes up some 160 pages. So it would be no surprise that there are many possibilities for configuring file sharing on a SOHO LAN. If you want to configure a share successfully you must accommodate all factors tied up in transferring information between workstations with the SMB protocol, chief among them being:

• -Name resolution for browsing workstations and shares
• -Authority for connecting to a server and its shares
• -File structure permissions on the shared folded
• -Security controls available within Samba

This article superficially covers these factors in a layout that runs from low security shares suitable for the home LAN through to secure shares adequate for small business and other sensitive information.

Things to know first

Samba's Configuration File is a text file located at /etc/samba/smb.conf. It's made up of paragraphs of parameter values controlling global behaviour, plus one paragraph for each classically shared resource (printers, folders). You adjust or alter this file with a text editor. All of the GUI devices to create and modify shares are no more that fancy text editors.

Classical Shares and Usershares: There are two classes of Samba shares, Classical shares and Usershares. Classical shares have tailored security and are created by root. The configurations for classical shares are set out in separate paragraphs, one for each share, in smb.conf, the main configuration file. The configurations for usershares are set out in separate text files, one for each share, in a special folder located at /var/lib/samba/usershares. It's important to lock into mind that the rules and procedures are different for Usershares and classical shares. If you don't mentally acknowledge this you will be confused as you read this article.

Security Levels: The security options for a workgroup of mixed Windows and Linux workstations are share level security and user level security. At it's simplest, share level security originally catered for Windows 95, Me and 98. Share level became superflous in Linux with the introduction of Usershares into Samba v3.0.23 which appeared in v10.2 of openSUSE for the first time. The attractive on-the-fly, non-root user sharing of folders that Windows offers at share-level is now fully available in Linux at user-level security through usershares. Share level is now an anachronism and it won't be discussed further here.

Text Editor Tips: You can open the file smb.conf in a KDE text editor with this command in your non-root terminal:

username@hostname:* > kdesu kwrite /etc/samba/smb.conf

Or if you prefer Gnome, use this:

username@hostname:* > gnomesu gedit /etc/samba/smb.conf

Alternatively, you can open the superuser file manger from the KDE or Gnome menu. Then you navigate to /etc/samba/. Finally, right click on smb.conf and select Kwrite, Gedit or Kate as you prefer. Cumbersome compared to the command line isn't it?

Tweaking the Default Samba Configuration File so Sharing & Network Browsing Work OK The first paragraph of the config file (smb.conf) contains global parameters and it looks like this in openSUSE 10.2,3:

[global]
workgroup = TUX-NET
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = Yes

And here are some important implicit parameter specifications that are included by default, although you can't explicitly see them:

security = user
encrypt passwords = Yes
passdb backend = smbpasswd
usershare path = /var/lib/samba/usershares

Tweaks: Of course TUX-NET needs to be changed to your workgroup name. Security is set to share-level and the password backend is the deprecated smbpasswd. Samba devs recommend to use the database form of backend, tdbsam, but I won't press that here. NetBIOS name resolution is installed at only a very basic level and I strongly recommend bolstering that by installing at least a Local Master Browser, LMB. The LMB and other name resolution alternatives are discussed in my tutorial on [configuring stable network browsing]. Finally, Usershares are disabled in the default install. If you want to use them you must add additional parameters listed below. So with those things in mind, here is my recommended tweaked [global] configuration:

[global]
workgroup = WORKGROUP_NAME
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
# 3 lines for on-the-fly usershares
usershare allow guests = Yes
usershare max shares = 100
usershare owner only = False
# 3 lines to enhance network browsing - but only one LMB per workgroup
local master = Yes
preferred master = Yes
os level = 65
# ----------------------------------------------------------------------
# FYI these 4 lines are implicit - adding them explicitly is unnecessary
#encrypt passwords = Yes
#passdb backend = smbpasswd
#usershare path = /var/lib/samba/usershares
#security = user

I recommend effecting this by editing/tweaking smb.conf with a text editor. GUI devices like the ones available in Konqueror and Yast are really touchy and dangerous in a new user's hands. The results can be disastrous if you don't know exactly what you're doing. Just the act of looking into some options in Yast can install unwanted parameters. If you do use a GUI editor then you should examine your final [global] configuration against my recommended configuration above. When you've finished editing smb.conf it's also a very good idea to run testparm and read the output carefully. You enter this in a non-root terminal to run testparm:

username@hostname:* > sudo testparm /etc/samba/smb.conf

Testparm certainly doesn't guarantee success or reveal subtle conflicts/errors.

=Insecure Methods for Home Use: Sharing to Anonymous Guests= These shares (reminiscent of Windows 9x/Me) are the least secure shares possible. They can be used to share non-private data and can easily be switched on and off as required. You can construct them two ways - as classical shares using Konqueror or as the newer usershares using Nautilus. Incidentally, there's a pictorial HowTo set up Konqueror for Samba shares at the end of this page. To illustrate the creation of these shares, imagine a folder called sharefolder, located at /home/username/sharefolder, in the home territory of a Linux user named //username//. ---

On-The-Fly Sharing in KDE: The Konqueror Classical Share Utility

KDE has a right-click gui that allows on-the-fly creation of a classical share from folder //sharefolder//. Simply R-click on //sharefolder// when viewing it in Konqueror file manager, select "share" and enable the share as on these two pics:

The top plate shows settings for a read-only share and the bottom plate shows settings for a read-write share.

The left side of each plate shows the settings that appear when the "share" tab is activated and I have added in on the right hand side of each the settings that appear when the "permissions" tab is activated.

The access that is sought and given is for an unauthenticated guest. Guests fit into the permissions scenario as "Others" on the GUI. So for a writeable share (the second pic) you have to set the permission for "Others" to "Can View and Modify Content".

Your Desktop: I've done this research in openSUSE 10.2 and 10.3a. For both of those the permissions for the folder /home/username/Desktop are drwx.-.-.-.-.-.-, i.e. members of the group users (other than the real owner) and all others (e.g. guests) are forbidden. This prevents you from making classical Samba shares on a desktop with Konqueror, unless you venture further into the GUI with the button More Samba Options. Avoid that button if you are not a practised Samba administrator.

The KDE-Konqueror facility creates a "classical" share that writes its configuration to a paragraph in the samba config file at /etc/samba/smb.conf. The entry in smb.conf for the read-only share, corresponding to the top GUI is:

[SHAREFOLDER]
path = /home/username/sharefolder
guest ok = yes

The entry in smb.conf for the read-write share, corresponding to the bottom GUI is:

[SHAREFOLDER]
path = /home/username/sharefolder
guest ok = yes
read only = no

If you do not have KDE-Konqueror you could create either of these versions of classical share by directly editing these entries into smb.conf with a text editor.

On-The-Fly Sharing in Gnome: The Nautilus Usershare Facility

Nautilus has a right-click GUI that allows on-the-fly creation of a usershare from a folder. Once again use //sharefolder// as the example. Simply R-click on //sharefolder// when viewing it in Nautilus file manager, select "Sharing options" and enable the share as on the following pics:

The pictures speak for themselves. You don't have to change the default permissions/access controls on the folder sharefolder for the read-write case as you do for a classical share using Konqueror. Usershares have their access controls set in the share configuration file that is written in /var/lib/samba/usershare.

FYI, here is the config file for a read-only usershare:

#VERSION 2
path=/home/username/sharefolder
comment=
usershare_acl=S-1-1-0:R
guest_ok=y

FYI, here is the config file for a read-write usershare:

#VERSION 2
path=/home/username/sharefolder
comment=
usershare_acl=S-1-1-0:F
guest_ok=y

They differ by only one letter. The files are located at /var/lib/samba/usershares

Secure Method for the Workplace: Sharing to Authentic Users We now address the generalised, classical, stand-alone, read-write Samba share. It's to be accessible to authentic samba users only. [Database administration: Usage of some utilities to list Samba users and to add/delete them in the Samba User database is illustrated in the Appendix.] Imagine you are sharing the folder //sharefolder// and you want it to appear in Network Browsers as NET_SHARE. In this case the share is administered by root, so you locate it wherever is convenient, say at /path/sharefolder. The policy is to use the samba force parameters, //force group// and force user, to assign access controls to the Samba user and mimic the real owner of the shared folder. So make username the owner of the folder and edit the parameter values below into the share's definition in smb.conf - here's the definition for a read-write share: ---

[NET_SHARE]
comment = a comment goes here
path = /path/sharefolder
read only = no
force group = users
force user = username

These shares can't be accessed by a non-authenticated user. Depending on the precise setup, access flows either to a machine having a valid Samba user logged on - or to a user who authenticates in a logon session. If you want the share to be read-only you comment out out or remove the line read only = no.

You can further restrict access by limiting valid users via Samba's valid users parameter. For example add this line to the definition of a share if you want only Ethel or George to have access to the share:

valid users = ethel, george

And equally useful is this (example of a) pair of lines to limit the host machines allowed to connect:

hosts allow = 127.0.0.1 192.168.0.2 192.168.0.3 192.168.0.4 hosts deny = 0.0.0.0./0

That's nearly all folks, except for appendices.

APPENDIX: Administering the Samba User Database

Here are a few recipes for using the utilities smbpasswd and pdbedit to adminster user accounts. They're clues to enable you to list, add and delete users in the Samba user database.

I only use pdbedit in the standalone-server context to list Samba users when I forget who they are, like so - terminal session:

Password:
hostname:*  # pdbedit -L -w
papa:1000:5AF24......truncated by Swerdna........25031F:[U ]:LCT-45AB8EAE:
ethel:1001:DF7D4C8............ditto................9A37:[U ]:LCT-45C1C662:
timothy:1002:9ACC1............ditto..............5B5140:[U ]:LCT-2615EEB5:
hostname:*  #

This shows me that the Linux host (called hostname) has three samba users: papa, ethel and timothy with uid's respectively of 1000, 1001, 1002 (the rest of each line is encrypted, I think). You will be unable to add a Samba user who is not already a valid user in Suse's user database.

Use smbpasswd to add a Samba user or to change the user's password - terminal session:

Password:
hostname:*  # smbpasswd -a timothy
New SMB password:
Retype new SMB password:
hostname:*  #

Use smbpasswd to delete a Samba user - terminal session:

Password:
hostname:*  # smbpasswd -x timothy
Deleted user timothy.
hostname:*  #

APPENDIX: Configuring Konqueror for On-The-Fly Calssical Samba Shares

This appendix is necessary to skip around a quirk - bug is too strong a word - a quirk in Konqueror's File Sharing facility. If you right click on a folder being viewed in Konqueror, intending to create a share and you don't see the option Share as the bottom option on the drop-down list, then reconfigure the File Sharing facility. Open Personal Settings in the KDE menu: Personal Settings --> Interner & Network --> File Sharing --> Administrator Mode. The next Pic is my adaptation of the GUIs that open up. It's an amalgamation of four pics with steps numbered in sequence. It's meant to be self evident but I'll list the steps anyway.

• Pic A
• Step 1: Enable Local Network File Sharing
• Step 2: Enable advanced sharing, not simple sharing which doesn't work in openSUSE 10.2-3
• Step 3: Samba version. You can enable NFS as well - If you know what you're doing. NFS is not a part of Samba
• Step 4: Click "Allowed Users" button and PIC B will open up

• PIC B
• Step 5: Make sure you pick the "certain group" option and not the "all users" option
• Step 6: Click "Choose Group" to select the group (Users) when PIC C opens up

• PIC C
• Step 7: Select the group "Users" with the drop-down list. Don't activate any of Add, Remove or Delete
• Step 8: Clock OK amd make your way to PIC D

• PIC D
• Step 9: make sure the choice "Group members can share without password" is selected
• Step 9: The option "Only users of a certain group" is enabled. YOU DON'T WANT THAT
• Step 10: Change option to: "Allow all users to share folders" and click OK to lock all these steps in.

Now you can use R-click in Konqueror to create classical Samba shares to Guests

That's really all folks. Take it easy.

Swerdna: 25 February 2007; revised 03 March

Credits: [Swerdna's site] [Broch]