Samba Administration Guide - Secure Read-Write File and Print Server

Secure Read-Write File and Print Server

We progress now from simple systems to a server that is slightly more complex.

Our new server will require a public data storage area in which only authenticated users (i.e., those with a local account) can store files, as well as a home directory. There will be one printer that should be available for everyone to use.

In this hypothetical environment (no espionage was conducted to obtain this data), the site is demanding a simple environment that is secure enough but not too difficult to use.

Site users will be Jack Baumbach, Mary Orville, and Amed Sehkah. Each will have a password (not shown in further examples). Mary will be the printer administrator and will own all files in the public share.

This configuration will be based on user-level security that is the default, and for which the default is to store Microsoft Windows-compatible encrypted passwords in a file called /etc/samba/smbpasswd. The default smb.conf entry that makes this happen is passdb backend = smbpasswd, guest. Since this is the default, it is not necessary to enter it into the configuration file. Note that the guest backend is added to the list of active passdb backends no matter whether it specified directly in Samba configuration file or not.

Procedure2.2.Installing the Secure Office Server

Example2.4.Secure Office Server smb.conf

# Global parameters

[global]

workgroup = MIDEARTH

netbios name = OLORIN

printcap name = cups

disable spoolss = Yes

show add printer wizard = No

printing = cups

[homes]

comment = Home Directories

valid users = %S

read only = No

browseable = No

[public]

comment = Data

path = /export

force user = maryo

force group = users

read only = No

[printers]

comment = All Printers

path = /var/spool/samba

printer admin = root, maryo

create mask = 0600

guest ok = Yes

printable = Yes

use client driver = Yes

browseable = No

Add all users to the operating system:

root# 

useradd -c "Jack Baumbach" -m -g users -p m0r3pa1n jackb

root# 

useradd -c "Mary Orville" -m -g users -p secret maryo

root# 

useradd -c "Amed Sehkah" -m -g users -p secret ameds

Configure the Samba smb.conf file as shown in ???.

Initialize the Microsoft Windows password database with the new users:

root# 

smbpasswd -a root

New SMB password: 
bigsecret

Reenter smb password: 
bigsecret

Added user root.

root# 

smbpasswd -a jackb

New SMB password: 
m0r3pa1n

Retype new SMB password: 
m0r3pa1n

Added user jackb.

root# 

smbpasswd -a maryo

New SMB password: 
secret

Reenter smb password: 
secret

Added user maryo.

root# 

smbpasswd -a ameds

New SMB password: 
mysecret

Reenter smb password: 
mysecret

Added user ameds.

Install printer using the CUPS Web interface. Make certain that all printers that will be shared with Microsoft Windows clients are installed as raw printing devices.
Start Samba using the operating system administrative interface. Alternately, this can be done manually by executing:
```
root# 

 nmbd; smbd;
```
Both applications automatically execute as daemons. Those who are paranoid about maintaining control can add the -D flag to coerce them to start up in daemon mode.

Configure the /export directory:

root# 

mkdir /export

root# 

chown maryo.users /export

root# 

chmod u=rwx,g=rwx,o-rwx /export

Check that Samba is running correctly:

root# 

smbclient -L localhost -U%

Domain=[MIDEARTH] OS=[UNIX] Server=[Samba-3.0.20]

Sharename      Type      Comment
---------      ----      -------
public         Disk      Data
IPC$           IPC       IPC Service (Samba-3.0.20)
ADMIN$         IPC       IPC Service (Samba-3.0.20)
hplj4          Printer   hplj4

Server               Comment
---------            -------
OLORIN               Samba-3.0.20

Workgroup            Master
---------            -------
MIDEARTH             OLORIN

The following error message indicates that Samba was not running:

root#  smbclient -L olorin -U%
Error connecting to 192.168.1.40 (Connection refused)
Connection to olorin failed

Connect to OLORIN as maryo:

root# 

smbclient //olorin/maryo -Umaryo%secret

OS=[UNIX] Server=[Samba-3.0.20]
smb: \> 
dir

.                              D        0  Sat Jun 21 10:58:16 2003
..                             D        0  Sat Jun 21 10:54:32 2003
Documents                      D        0  Fri Apr 25 13:23:58 2003
DOCWORK                        D        0  Sat Jun 14 15:40:34 2003
OpenOffice.org                 D        0  Fri Apr 25 13:55:16 2003
.bashrc                        H     1286  Fri Apr 25 13:23:58 2003
.netscape6                    DH        0  Fri Apr 25 13:55:13 2003
.mozilla                      DH        0  Wed Mar  5 11:50:50 2003
.kermrc                        H      164  Fri Apr 25 13:23:58 2003
.acrobat                      DH        0  Fri Apr 25 15:41:02 2003

		55817 blocks of size 524288. 34725 blocks available
smb: \> 
q

By now you should be getting the hang of configuration basics. Clearly, it is time to explore slightly more complex examples. For the remainder of this chapter we abbreviate instructions, since there are previous examples.