Create samba user shares in TonidoPlug (NAS)

TonidoPlug can act as NAS device.

When an external USB harddisk is connected to TonidoPlug, it automatically mounts the USB HDD and makes it available for other computers on the network.  So for example, to connect to this share from windows, open an explorer window and type \\<TonidoPlug IP>\MediaDisk and you get full access to the USB HDD.

Since TonidoPlug is not configured to provide user based access to samba shares by default here is a guide to create user based access .
By doing this setup, users can access their home directories by authenticating themselves with their login and password. They cannot view or access other user shares without knowing their login credentials.

By default when an user is created in the Linux OS, it is not available as a samba user automatically. This usually is done as a separate step. In our setup we also try to automate this process.

Setup

1. Install libpam-smbpass package. This package provides necessary tools to synchronize linux OS user/passwords with samba repository.

# apt-get install libpam-smbpass

2. Open /etc/samba/smb.conf with a text editor and make the following changes.

3. By default TonidoPlug allows full access to everybody. Disable this default behavior. Look for the following lines and comment them.

# What naming service and in what order should we use to resolve host names
# to IP addresses

;   name resolve order = lmhosts host wins bcast
;   force user = root
;   force group = root

;   guest ok = yes
;   browseable = yes
;   public = yes
;   writable = yes

The above lines shows the commented configuration lines.

4. By default TonidoPlug allows share level access. Change this to user level access.
Look for line “security = share” and change it as follows

# “security = user” is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.

security = user

5. Enable automatic synchronization of user and password information from linux OS to samba.

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes

6. We need to users to access their home directories when they login with userid and password. Samba configuration should be enabled to expose user home directories.

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares.  This will share each
# user’s home directory as \server\username
[homes]
comment = Home Directories
browseable = yes

# By default, the home directories are exported read-only. Change the
# next parameter to ‘no’ if you want to be able to write to them.
read only = no

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
;   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
;   directory mask = 0700

# By default, \server\username shares can be connected to by anyone
# with access to the samba server.  Un-comment the following parameter
# to make sure that only “username” can connect to \server\username
# This might need tweaking when using external authentication schemes
valid users = %S

7. Save the smb.conf file and restart samba daemon.

# /etc/init.d/samba restart


Share Test

For testing, we will create a user on the TonidoPlug and try to access the user’s home directory as a samba share.

1. Create a user on TonidoPlug. You can do this by doing SSH to TonidoPlug as root user.

# useradd -m -k /etc/skel demouser

2. Set a password for the demouser.

# passwd demouser

3. Important: Open another SSH session to TonidoPlug and login as the new user. This is only trigger I could find to synchronize the OS user details with samba.
You can close the SSH session as soon as login is successful.

4. For the other SSH session (as root user) verify if the new linux user is synchronized with samba.

# pdbedit -w -L
nobody:65534:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:
root:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:0708DD6BC4B608A64FC970497CC6F7AD:[U          ]:LCT-4A09E411:
demouser:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:A827E65ED0E8EA4B14721624A19DE519:[U          ]:LCT-4A9E8E33:

You should see ‘demouser’ as an entry in the output.

5. Now from the windows machine, open an explorer window and type the \\<Tonido_Plug_IP>\demouser. It should prompt for username and password. Enter ‘demouser’ and its password. Once you click ‘Ok’ it should show the demouser’s home directory with full access only to his home directory.

6 Responses

  1. [...] on the USB hard drive then it is as easy as changing few parameters in the configuration file. Look here for a quick how-to. Also if you are linux user who is familiar with SAMBA then the possibilities [...]

  2. oes tsetnoc says:

    Just a few words of Thanks for a such a nice work. You got it right, short and to the point. I got my shares up and running in no time. Thanks

  3. Russell says:

    I have a TonidoPlug; i’d like to password protect write access to the ‘MediaDrive’ share, but allow all to have read access. I how can i achieve this?
    Thanks for a great article, and device CodeLathe!

  4. Kevin Guske says:

    This looks like exactly what I need, but I tried this twice and couldn’t see ‘demouser’ as an entry in the output. However, I also received messages on step 1:

    3 upgraded, 2 newly installed, 0 to remove and 85 not upgraded.
    E: Could not open lock file /var/cache/apt/archives/lock/ – open (2 No such file or directory)
    E: Unable to lock the download directory.

    So, I manually created the folders /var/cache/apt/archives and /var/cache/apt/archives/partial, and was able to complete step 1. Hopefully, this helps someone else.

    Now, all I need is the ability to prevent a user from seeing anything other that his home directory…

  5. Richard says:

    Hi,

    Will you be doing an update that will incorporate this? I’m a little too skiddish to do the above changes. I am trying to get Boxee to read from my Tonidoplug using SMB.

    Thanks

Leave a Reply