Recover ubuntu box from hack, part 9: Reconfigure samba file sharing

Before the hack I had set up a shared folder which is the main reason for having the RAID set up. I want to be able to share any media throughout the house as well as provide a place for people to store any data they might want to back up. To this end I had samba set up. So again I set it up:

sudo aptitude install samba

now I need to adjust the options:

sudo vim /etc/samba/smbd.conf

Uncommented the ;  security = user line. Set up a couple of shares. Reloaded the configuration:

sudo reload smbd.conf

Tested it. Works. One of my shares forces guest only, and one of them requires a log in. It took a very long time to work out how to log in. It kept saying “… Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. …”. After doing a bit of research I found I could kill all current connections with a command in my windows command prompt:

net use * /delete

This kills all current network share connections, including any network drives. This was not a good solution and a bit more searching told me that its just how Windows works with network shares. That MS KB article suggested a workaround, which I will use, which is to log into \\server-name for one remote user account and \\server-IP for the other account.  This seemed to stop that error message from showing again, so long as I remember which user is for which address. This workaround is good enough, since it pretty much should only ever be me that needs it, and only when I’m testing things, or logging into my own private share from another user’s computer who has been logged into their private share. However I was still not able to come up with a working log in. A bit more research and stuffing around and I found out that the line of the configuration file about syncing with Unix passwords doesn’t actually mean it just checks the user-name and password against the server user-names and passwords. So I had to create a samba user-name and password:

sudo smbpasswd -a <username>

Once that was done I had to work out what domain it wanted. Seems it will only allow me to log on with workgroup\<username>. The workgroup used is the one specified in the smbd.conf file. I was sure I didn’t need to specify workgroup for my last set up, but I concede that I may have not set it up as properly last time.

Here is a dump of the useful parts of the smb.conf file – as given by the command ‘sudo testparm /etc/samba/smbd.conf’:

[global]
        server string = %h server (Samba, Ubuntu)
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .        unix password sync = Yes        syslog = 0        log file = /var/log/samba/log.%m        max log size = 1000        dns proxy = No        usershare allow guests = Yes        panic action = /usr/share/samba/panic-action %d
[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No
        browsable = No
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers
[public]
        comment = RAID public area
        path = /media/share/public
        guest only = Yes
        guest ok = Yes
[public - rw]
        comment = writable version of public share
        path = /media/share/public
        read only = No
        create mask = 0755
        directory mask = 0777
[guest area]
        comment = writeable area for guests
        path = /media/share/public/guest area
        read only = No
        create mask = 0755
        directory mask = 0777
        guest only = Yes
        guest ok = Yes
[lynden - private]
        comment = Lynden's personal stuff
        path = /media/share/private/lynden
        valid users = lynden
        read only = No
        create mask = 0700
        directory mask = 0700

The reason I have the main share set up with a read only main area, and rw version and a guest rw area is so that people who are visiting or get onto our network without permission can see what I have but cannot modify anything. House mates who want to use the RAID for storage can put things into the guest area, or if they want I’ll set up a user-name for them. The rw version of the main area is so that users I know and trust can modify the share if they want. However this security trades off the simplicity and ease of use of a straight public read/write network share, as my girlfriend would prefer.

I think it works a little better this time, and I definitely have a better understanding too.

Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: