Labels

new blog 2.0

2008/05/27

0x03. [LPIC-302] Samba Basic Config - file and printer shares

Configuring File Sharing Services

Public Share

We start with configuring a basic public share that is world-readable. There are actually two ways of doing it, but we will focus on one only (user security mode) since the other (share security mode) is deprecated and likely to disappear from future releases of Samba. If your distribution does not create a role account for Samba, it might be a good idea to create one instead of mapping guest users to "guest" or "nobody" accounts. The account has to be added with smbpasswd, or otherwise you will be having hard times understanding unexpected behaviour of some config options. So...
# useradd smbguest
# smbpasswd -n smbguest
Before we put our fingers on smb.conf let's create the public share on the local filesystem.
# mkdir -p /var/smb/ebooks
# chmod 1755 /var/smb/ebooks
Use your favourite editor to create an smb.conf file like that:
---- smb.conf ----
[global]
security = user
workgroup = tux
netbios name = elibrary
guest account = smbguest

[ebooks]
path = /var/smb/ebooks/
guest = ok
---- smb.conf ----
Upload your favorite man pages to the public directory and restart smbd.

Writable Public Share

Let's take our share to the next level (LOL) and make it possible for everyone to upload their ebooks. Simply append "read only = no" or "writable = yes" to the [ebooks] section.

Invisible Writable Public Share

At this stage if a client tries to access \\elibrary\ it will see all the shares available, which at this stage should be [ebooks] and the default printer share. [ebooks] includes some books that contain information not for everyone to see. If you want to make [ebooks] disappear from clients listing then append "browsable = no" to the share section. This way the share will be invisible for listing, but still accessible when specified explicitly (\\elibrary\ebooks)

Authenticating Users


Because the current configuration is a mock in terms of security and functionality we should make a small improvement to it and give write access only to authenticated users whereas guests are still able to read files, however, no way of writing anything.

We need to create Samba users on the server first, and this is done with "smbpasswd -a".
# smbpasswd -a oozie
New SMB password:
Retype new SMB password:
#
An important note: the user has to be available via getent call, so most typically it should be available in /etc/passwd file. If it isn't you will most likely see this error message: "Failed to modify password entry for user [username]". On the other hand ff you add an existing POSIX user with smbpasswd, remove it from /etc/passwd and try to smbpasswd -x (remove user) you will see this: "smbpasswd database is corrupt! username [user] with uid [uid] is not in unix passwd database!"

Again, a slight reconfiguration of smb.conf is necessary. Append "read list = smbguest" to the end of [ebooks] section and restart the daemons. This way oozie will be able to read/write, whereas all the guests will read the e-books only.

Exceptions
Samba allows exceptions from many rules, practically even from exceptions themselves. If we want to narrow down or widen the list of users that should have access to our folders we can use "invalid users" or "valid users" directives to smb.conf. They will sit on top of other ACLs that we specified earlier and will allow/disallow exceptional access respectively.

Mounting Samba Shares
You can mount Samba shares with help of mount -t smbfs (deprecated in favor of mount -t cifs) and smbmount, that invokes mount.smbfs to mount a share (which makes it a deprecated option). So a situation like this will be very common nowadays:

# mount.smbfs //192.168.1.36/ebooks /mnt
Password:
ERROR: smbfs filesystem not supported by the kernel
Please refer to the smbmnt(8) manual page
smbmnt failed: 255
In this situation "modprobe smbfs" should help, but make sure that this module comes compiled with your kernel. A preferred alternative to smbmount/mount.smbfs is mount.cifs (that requires cifs.ko module)
# mount.cifs -o user=oozie,pass=passwd //192.168.1.36/ebooks /mnt
Password:
# ls /mnt
ebook1.pdf ebook2.pdf ebook3.pdf
[homes] share

This share is a special option that tells samba to create a temporary share named after the username of the connecting user. The share gets all the attibutes specified in the [homes] section.

Plan file service migration
http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html#id2676131
  • Create scripts for user and group handling of file shares
  • smbcquotas - Set or get QUOTAs of NTFS 5 shares
  • smbsh - Allows access to remote SMB shares using UNIX commands

Configuring Print Services
Samba supports a number of protocols for print sharing. The list includes {the print subsystem it should expect. Samba supports CUPS, LPD, LPRNG, SYSV, HPUX, AIX, QNX, PLP}, but CUPS is here of particular interest, since Samba supports it natively. It makes direct library calls, so smb.conf requires only minimal configuration in the [printers] section for the printers to work:
[...]

[printers]
path = /var/spool/samba
printable = yes

[...]
The 'path =' parameter must be different from the subsystem spooling directory, in this case different from /var/spool/cups.

The [print$] share
print$ hosts all the drivers required by Samba printers. It should not be used under a different name, because Windows clients are hardcoded this way. When they connect to the share, they try to look up drivers based on their own architecture, which is one of the following {W32ALPHA,W32MIPS,W32PPC,W32x86,WIN40}. The most frequently looked-through directory nowadays is W32X86 because it is used by Windows NT, 200x and XP.

Commands:
  • smbprngenpdf - a shellscript that converts printer spool files to PostScript format, and translates it to PDF later, unless -k option is specified. By default, files printed in this way are stored in the ~/PDF directory of the requesting user.

  • smbspool - sends a print file to a Samba printer (man 8 smbspool for more info)
Sources:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/classicalprinting.html

No comments: