How to provide user based access to samba shares

Support for your TonidoPlug
Tuxedo
Tonido Team
Tonido Team
Posts: 1458
Joined: Wed Jan 28, 2009 11:30 pm

How to provide user based access to samba shares

Postby Tuxedo » Wed Sep 02, 2009 11:09 am

By default TonidoPlug is not configured to provide user based access to samba shares.
Here is a guide to provide user based access.
By doing this setup, users can access their home directories by authenticating themselves with their login and password. They cannot view or access other user shares without their login credentials.
By default when an user is created in the linux OS, it is not available as a samba user automatically. This usually is done as a separate step. In our setup we automate this process.

Setup
1. Install libpam-smbpass package. This package provides necessary tools to synchronize linux OS user/passwords with samba repository.

Code: Select all

apt-get install libpam-smbpass


2. Open /etc/samba/smb.conf with a text editor and make the following changes.

3. By default TonidoPlug allows full access to everybody. Disable this default behavior. Look for the following lines and comment them.

Code: Select all

# What naming service and in what order should we use to resolve host names
# to IP addresses
;   name resolve order = lmhosts host wins bcast
;   force user = root
;   force group = root

;   guest ok = yes
;   browseable = yes
;   public = yes
;   writable = yes

The above lines shows the commented configuration lines

4. By default TonidoPlug allows share level access. Change this to user level access.
Look for line "security = share" and change it as follows

Code: Select all

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
   security = user


5. Enable automatic synchronization of user and password information from linux OS to samba.

Code: Select all

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes


6. We need to users to access their home directories when they login with userid and password. Samba configuration should be enabled to expose user home directories.

Code: Select all

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares.  This will share each
# user's home directory as \server\username
[homes]
   comment = Home Directories
   browseable = yes

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
  read only = no

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
;   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
;   directory mask = 0700

# By default, \server\username shares can be connected to by anyone
# with access to the samba server.  Un-comment the following parameter
# to make sure that only "username" can connect to \server\username
# This might need tweaking when using external authentication schemes
   valid users = %S


7. Save the smb.conf file and restart samba daemon.

Code: Select all

 # /etc/init.d/samba restart


Test
For testing, we will create a user on the TonidoPlug and try to access the user's home directory as a samba share.

1. Create a user on TonidoPlug. You can do this by doing SSH to TonidoPlug as root user.

Code: Select all

 # useradd -m -k /etc/skel demouser


2. Set a password for the demouser.

Code: Select all

 # passwd demouser


3. Important: Open another SSH session to TonidoPlug and login as the new user. This is only trigger I could find to synchronize the OS user details with samba.
You can close the SSH session as soon as login is successful.

4. For the other SSH session (as root user) verify if the new linux user is synchronized with samba.

Code: Select all

 pdbedit -w -L
nobody:65534:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:
root:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:0708DD6BC4B608A64FC970497CC6F7AD:[U          ]:LCT-4A09E411:
demouser:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:A827E65ED0E8EA4B14721624A19DE519:[U          ]:LCT-4A9E8E33:

You should see 'demouser' as an entry in the output.

5. Now from the windows machine, open an explorer window and type the \\<Tonido_Plug_IP>\demouser. It should prompt for username and password. Enter 'demouser' and its password. Once you click 'Ok' it should show the demouser's home directory with full access only to his home directory.

Return to “TonidoPlug Support”

Who is online

Users browsing this forum: No registered users and 8 guests