Create User Authenticated Samba Share

By default, TonidoPlug doesn’t provide user-based access to Samba shares. This guide provides instructions on how to enable this feature. By doing this setup, users can access their home directories by authenticating themselves with their login and password. They cannot view or access other user shares without their login credentials.

By default, when a user account is created on a Linux system, it is not available as a Samba user automatically. This usually is done as a separate step. In our setup we automate this process.

Configuring Samba

1. Install the libpam-smbpass (Tonidoplug 1) or libpam-samba (Tonidoplug 2) package. This package provides necessary tools to synchronize Linux user accounts with Samba repository.

TonidoPlug 2

apt-get install libpam-samba

TonidoPlug 1

apt-get install libpam-smbpass

2. Open /etc/samba/smb.conf in a text editor.

3. By default TonidoPlug allows full access to everybody. To disable this behavior, find the following lines and comment them:

# What naming service and in what order should we use to resolve host names
# to IP addresses
;   name resolve order = lmhosts host wins bcast
;   force user = root
;   force group = root
;   guest ok = yes
;   browseable = yes
;   public = yes
;   writable = yes

The above lines shows the commented configuration lines.

4. By default TonidoPlug allows share level access. Change this to user level access by modifying the security = share option as follows:

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
   security = user

5. Enable automatic synchronization of user accounts between the system and Samba:

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

6. To give users access to their own, made the following changes:

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares.  This will share each
# user's home directory as \server\username
[homes]
   comment = Home Directories
   browseable = yes
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
read only = no
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
;   create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
;   directory mask = 0700
# By default, \server\username shares can be connected to by anyone
# with access to the samba server.  Un-comment the following parameter
# to make sure that only "username" can connect to \server\username
# This might need tweaking when using external authentication schemes
   valid users = %S

7. Save the smb.conf file and restart the Samba daemon:

/etc/init.d/samba restart

Testing the Configuration

To test the created configuration, we will create a user on the TonidoPlug and try to access the user’s home directory as a samba share.

1. Create a user on TonidoPlug. You can do this by doing SSH to TonidoPlug as root user:

useradd -m -k /etc/skel demouser

2. Set a password for the demouser account.

passwd demouser

3. Open another SSH session to TonidoPlug and login as the new user. This is the only trigger I could find to push user accounts to Samba. You can close the SSH session as soon as login is successful.

4. From the other SSH session (as root user), verify if the new user account is synchronized with Samba:

pdbedit -w -L
nobody:65534:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:
root:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:0708DD6BC4B608A64FC970497CC6F7AD:[U          ]:LCT-4A09E411:
demouser:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:A827E65ED0E8EA4B14721624A19DE519:[U          ]:LCT-4A9E8E33:

You should see demouser as an entry in the output.

5. Now from a Windows machine, open an Explorer window and type the \\<Tonido_Plug_IP>\demouser. It should prompt for user name and password. Enter the demouser credentials. Once you click OK, and you should be able to see show the demouser’s home directory with full access.


Source: http://www.tonido.com/forum/viewtopic.php?f=37&t=285