(forw) Re: Samba hint

Patrick Kirk patrick at enterprise-hr.com
Mon Sep 3 07:29:01 PDT 2001


----- Forwarded message from Ian Chilton <ian at ichilton.co.uk> -----

From: Ian Chilton <ian at ichilton.co.uk>
Date: Mon, 3 Sep 2001 12:36:12 +0100
Subject: Re: Samba hint
Reply-To: Ian Chilton <ian at ichilton.co.uk>

Hello,

Any chance of that as an attachment, to hints at linuxfromscratch.org?


Thanks!


Bye for Now,

Ian


                                  \|||/ 
                                  (o o)
 /-----------------------------ooO-(_)-Ooo----------------------------\
 |  Ian Chilton                    E-Mail: ian at ichilton.co.uk         |
 |  IRC Nick: GadgetMan            Backup: ichilton at www.linux.org.uk  |
 |  ICQ: 16007717 / 104665842      Web   : http://www.ichilton.co.uk  |
 |--------------------------------------------------------------------|
 |       For people who like peace and quiet: a phoneless cord        |
 \--------------------------------------------------------------------/

----- End forwarded message -----

-- 

Patrick "sig free and joyful"" Kirk

GSM: +44 7876 560 646
ICQ: 42219699
-------------- next part --------------
TITLE:		Samba File and Print Server Hint
LFS VERSION:	3.0-RC1
AUTHOR:		Patrick Kirk <patrick at enterprise-hr.com>


Overview


Samba allows your Linux box to perform a number of functions that are typically the preserve of Windows 2000 Server Edition, for example acting as a Primary Domain Controller for a Win2k Domain, acting as a Bachup Domain controller or simply as a file server to share disk space with Windows PCs in a safe and secure manner.  In all these capacities, Samba can be expected to save a lot of license fees and be far more secure than any alternative.

This hint is for setting up samba as a file and print server on amchine where security is important.  The emphasis is on security for the server and ease of use for the users.

For example, I use these settings on the machine that shares my ADSL connection.  



1. Installation

Samba can be downloaded from www.samba.org.  Its default installation created a directory called samba in /usr/local and tidily puts all its bits in there.  If like me you like to ne able to backup your system configuration just by backing up /etc this needs to be changes.  Also, to save messing around with editing your path, it is worth specifying the executables go in /usr/local/bin and sbin as appropriate.

As root execute these commands:

cd /usr/src &&
tar xzvf samba*.tar.gz &&
mkdir -p /etc/samba  &&
mkdir -p /var/lock/samba  &&
cd samba-2.2.1a/source &&
./configure --prefix=/usr/local --bindir=/usr/local/bin \
--sbindir=/usr/local/sbin --libdir=/etc/samba --sysconfdir=/etc/samba && make \
&& make install

2. Setting up sharing

In /etc/samba create a file called smb.conf and paste the following in:

[global]
	workgroup = KIRKS.NET	# Put your own in here.
	netbios name = ENTERPRISE	# The hostname for your machine
	server string = %h server (Samba %v)
	encrypt passwords = Yes
	smb passwd file = /etc/samba/sambapasswd	#Make backups easier	
	syslog = 0	#Level of logging to syslog.  Keep this low
	max log size = 1000
	log file = /var/log/samba/samba.log.%m # where to keep records
	log level = 2	#Log interesting stuff only
	# Performance tuning - this works.  RTFM before tweaking
	socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
	dns proxy = No		#One tool for one job.  Use bind for DNS.
	#Security
	#These  entries are essential.
	invalid users = root	
	#Otherwise someone could attack the shares just by browsing from your workstation
	
	# Specify the IP range of your LAN and the ethernet card used to access the LAN
	# Leave the 127.0.0.1 entry there for diagnostics
	interfaces = eth0 192.168.0.0/255.255.255.0 127.0.0.1/24 
	# Even if a remote attacker decodes a password, he is still locked out 
	bind interfaces only = yes


[homes]
	# Allows users to store their data on the server
	comment = Home Directories
	read only = No
	create mask = 0700
	directory mask = 0700
	browseable = Yes
[data]
	# Create a folder for publicly shared resources like 
	# databases, telephone lists, etc.
        comment = Data Files and Backups
	# You need to set his path.  Mine is...
        path = /home/data
        read only = No
        create mask = 0775
        directory mask = 0775
        browseable = Yes

[system]
	# Copy the i386 folder from the Win2k CD here. 
	# Saves lots of time installing new drivers! 
	# Any other other CDs you use a lot.
	# 
        comment = System and Installation Files
	# You need to set his path.  Mine is...
        path = /home/system
        read only = No
        create mask = 0775
        directory mask = 0775
        browseable = Yes

[printers]
        comment = All Printers
        path = /tmp
        create mask = 0700
        printable = Yes
        browseable = No

# End of file



3. Setting up users
smbclient -a john adds john and prompts you for john's password.  Unless you have lots of users, repeat this for each.  If you have too many for this to be practical, configure SWAT which allows you to manage users and groups from a remote web-browser.  SWAT is very easy to use but if you need to use it there is detailed documentation including an O'Reilly book in html format on http://sunsite.dk/samba/docs

4. Setting up client machines
Windows 2000 machines will now just work if the username on the machine is the same as the account name you set up on the samba server.  If not the same, then map network drives and take the option use the drive under the name and password you set up on the server.

You might consider creating a batch file called login.bat in the startup group of client boxes that goes as follows:

net use h: \\192.168.0.1\homes /persistent:no

net use i: \\192.168.0.1\data /persistent:no

net use j: \\192.168.0.1\system /persistent:no

5. Starting samba
Create a file in /etc/init.d called samba and paste the following in:

#!/bin/sh
# Begin /etc/init.d/samba

#
# Include the functions declared in the /etc/init.d/functions file
#

source /etc/init.d/functions

case "$1" in
        start)
                echo -n "Starting Samba daemon..."
                loadproc /usr/local/sbin/nmbd

                echo -n "...Samba daemon started!"
                loadproc /usr/local/sbin/smbd
                ;;

        stop)
                echo -n "Stopping Samba daemon!"
                killproc smbd

                echo -n "...Samba daemon stopped."
                killproc nmbd
                ;;

        reload)
        echo -n "Reloading Samba daemon configuration file..."
                reloadproc smbd
		ireloadproc nmbd
                ;;

        restart)
                $0 stop
                /usr/bin/sleep 1
                $0 start
                ;;

        status)
                statusproc /usr/local/sbin/nmbd
                statusproc /usr/local/sbin/smbd
                ;;

        *)
                echo "Usage: $0 {start|stop|reload|restart|status}"
                exit 1
        ;;

esac

# End /etc/init.d/samba

To start samba, simply enter /etc/init.d/samba start

To have samba start every time your machine starts, run the following command:

chmod 754 /etc/init.d/samba &&

ln -s  ../init.d/samba /etc/rc0.d/K400samba &&

ln -s  ../init.d/samba /etc/rc1.d/K400samba &&

ln -s  ../init.d/samba /etc/rc2.d/K400samba &&

ln -s  ../init.d/samba /etc/rc3.d/S600samba &&

ln -s  ../init.d/samba /etc/rc4.d/S600samba &&

ln -s  ../init.d/samba /etc/rc5.d/S600samba &&

ln -s  ../init.d/samba /etc/rc6.d/K400samba


6. The end
Congratulations.  You now have a fileserver set up that is safe, stable and secure.



More information about the hints mailing list