Create samba user shares in TonidoPlug (NAS)
TonidoPlug can act as NAS device.
When an external USB harddisk is connected to TonidoPlug, it automatically mounts the USB HDD and makes it available for other computers on the network. So for example, to connect to this share from windows, open an explorer window and type \\<TonidoPlug IP>\MediaDisk and you get full access to the USB HDD.
Since TonidoPlug is not configured to provide user based access to samba shares by default here is a guide to create user based access .
By doing this setup, users can access their home directories by authenticating themselves with their login and password. They cannot view or access other user shares without knowing their login credentials.
By default when an user is created in the Linux OS, it is not available as a samba user automatically. This usually is done as a separate step. In our setup we also try to automate this process.
1. Install libpam-smbpass package. This package provides necessary tools to synchronize linux OS user/passwords with samba repository.
# apt-get install libpam-smbpass
2. Open /etc/samba/smb.conf with a text editor and make the following changes.
3. By default TonidoPlug allows full access to everybody. Disable this default behavior. Look for the following lines and comment them.
# What naming service and in what order should we use to resolve host names
# to IP addresses
; force user = root
; force group = root
; guest ok = yes
; browseable = yes
; public = yes
; writable = yes
The above lines shows the commented configuration lines.
4. By default TonidoPlug allows share level access. Change this to user level access.
Look for line “security = share” and change it as follows
# “security = user” is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# in the samba-doc package for details.
5. Enable automatic synchronization of user and password information from linux OS to samba.
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
6. We need to users to access their home directories when they login with userid and password. Samba configuration should be enabled to expose user home directories.
# to enable the default home directory shares. This will share each
# user’s home directory as \server\username
comment = Home Directories
browseable = yes
# By default, the home directories are exported read-only. Change the
# next parameter to ‘no’ if you want to be able to write to them.
read only = no
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
; create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
; directory mask = 0700
# By default, \server\username shares can be connected to by anyone
# with access to the samba server. Un-comment the following parameter
# to make sure that only “username” can connect to \server\username
# This might need tweaking when using external authentication schemes
valid users = %S
7. Save the smb.conf file and restart samba daemon.
For testing, we will create a user on the TonidoPlug and try to access the user’s home directory as a samba share.
1. Create a user on TonidoPlug. You can do this by doing SSH to TonidoPlug as root user.
2. Set a password for the demouser.
3. Important: Open another SSH session to TonidoPlug and login as the new user. This is only trigger I could find to synchronize the OS user details with samba.
You can close the SSH session as soon as login is successful.
4. For the other SSH session (as root user) verify if the new linux user is synchronized with samba.
You should see ‘demouser’ as an entry in the output.
5. Now from the windows machine, open an explorer window and type the \\<Tonido_Plug_IP>\demouser. It should prompt for username and password. Enter ‘demouser’ and its password. Once you click ‘Ok’ it should show the demouser’s home directory with full access only to his home directory.