Configuring Samba

There is probably not a single office that does not use shared local network resources, whether they are folders or printers. Large and medium-sized companies use the capabilities of Active Directory, while smaller companies use regular Windows or Samba tools, but on servers on Linux OS. Look at all the cases.

What is Samba?

Samba is a server application that implements client terminals’ access to folders, printers, and disks over the SMB/CIFS Protocol.

Configuring shared folders

Linux

The installation and configuration of the Samba server for Ubuntu is performed in the following steps.

Update information about repositories and install updates for existing software packages in the system:

apt-get update && apt-get upgrade

Installing the Samba pack:

apt-get install -y samba samba-client

Creating a reserve copy of the configuration file:

cp /etc/samba/smb.conf /etc/samba/smb.conf_sample

Creating directories for files, for example in the /media catalog:

mkdir /media/samba

Important! By default, the /media directory is located at the root of the system/, and a separate partition is rarely created for it. For this reason, the root partition may overflow. To avoid this unpleasant situation, we recommend mounting a separate hard drive in /media/samba.

Creating a folder for all users:

mkdir /media/samba/public

Changing the folder access rights:

chmod -R 0755 /media/samba/public

You should also use the chown command to change the owner and/or group.

Creating a directory for a limited number of people:

mkdir /media/samba/private

Using the system tools, we will create a user group:

groupadd smbgrp

Adding Samba users:

useradd user1

Adding the created users to the group:

usermod -aG smbgrp user1

Changing the group that the private directory belongs to:

chgrp smbgrp /media/samba/private

Use the Samba tools to create a password for the added user:

smbpasswd -a user1

Use a text editor such as nano to edit the samba configuration file:

nano /etc/samba/smb.conf

Deleting all lines from the file. Insert the following:

[global]

workgroup = WORKGROUP

security = user

map to guest = bad user

wins support = no

dns proxy = no

[public]

path = /media/samba/public

guest ok = yes

force user = nobody

browsable = yes

writable = yes

[private]

path = /media/samba/private

valid users = @smbgrp

guest ok = no

browsable = yes

writable = yes

Save using the combination Ctrl + X, then press Y and Enter.

Let’s explain the string values. The configuration file consists of three sections:

global — this section is responsible for the General settings of the Samba server;

public и private — the description section of the settings directories are shared.

The global section contains five parameters:

•   workgroup — working group. To simplify the work of users, WORKGROUP is specified as the default group. If the workgroup name is changed in your network, you should also change this value for Samba;
• security — the security level of the server. The value user means authorization by the username/password pair;
• map to guest — this parameter defines how requests are processed. The bad user value means that requests with an incorrect password will be rejected, even if such a user name exists;
• wins support — • enable or disable WINS support;
• dns proxy — the ability to proxy requests to a DNS.

Directory settings are made in the corresponding sections:

path — full path to the directory on your hard disk;

guest ok — ability to access the folder without a password (guest);

browsable — whether to show the folder on the server, among others.  If the parameter is set to » no”, access will be possible using the full path, for example, ip-address hidden_directory;

force user — the user who is working with the folder. To increase server security, “nobody” is usually used. The main thing is that it is not safe to use the root user.

writable — setting the value to “yes” allows the user to perform actions on files inside the folder — rename, add, delete, move to a subdirectory, and copy;

valid users — list of users who have access to the folder. If there are several users, their names are separated by commas. If access is required for users belonging to a group, the symbol ”at” (@) is set before the group name.

Important! The name of the shared directory displayed to users is equal to the name of the section where it is described.

Check the settings using the command:

testparm -s

Restarting the server:

service smbd restart

service nmbd restart

Configure the firewall. To do this, open TCP ports 139 and 445 in the rules, as well as UDP ports 137 and 138, but only for those subnets that you trust. To specify your own address range, replace the value after the “-s » key”:

iptables -A INPUT -p tcp -m tcp --dport 445 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 139 -s 10.0.0.0/24 -j ACCEPT

iptables -A INPUT -p udp -m udp --dport 137 -s 10.0.0.0/24 -j ACCEPT

iptables -A INPUT -p udp -m udp --dport 138 -s 10.0.0.0/24 -j ACCEPT

To save the rules and apply them after restarting the server, use the iptables-persistent package. Install it:

apt-get install iptables-persistent

During the installation of the package, the program will ask you to save existing iptables rules. Confirm this action.

To check existing rules, use:

iptables -L

Windows

Similar to Linux, we will configure shared access to the public and private folders, but in Windows.

To create shared access to a folder without password protection, you must configure security restrictions in the control panel. To do this, open:

Control panel → Network → network and sharing Center → Advanced sharing settings.

In the updated window, open the section «All networks” and look for the section» Shared access with password protection”. Setting the parameter to “Disable password-protected sharing”. To save the parameter values, click the “Save changes” button.

Now we will open access to the folder itself. Right-click on the folder and select “Properties” in the context menu. Open the «Access» tab and click on «Advanced settings».

In the advanced sharing settings window that opens, select the “Open shared access to this folder «checkbox in the “shared resource Name» field” specify the name that will be displayed to users. Click on the «Permissions» button.

In the window that opens, in user groups, select «All”, and in group permissions, set the “Full access» checkbox. Click » OK » in this and other Windows.

In the properties window of the public folder, click the «Shared access» button.

In the window that opens, add the “All «user, and delegate the» Read and write» rights. Click on the «Share» button.

In the updated window, click «Done».

Setting up a shared folder, but for a limited number of people.

Right-click on the folder and select «Properties«.

In the window that opens, go to the “Access » tab. Click on the «Advanced settings» button.

In the new window that opens, set the “Open shared access to this folder » checkbox. Then click on the «Permissions» button.

In the window that opens, in the “Groups or users” field, select «All “and click ”Delete».

This means that anonymous access to the folder is not allowed.

The window will update. Click on the «Add » button.

In the window that opens, click the «Advanced» button.

The window will change in size. Click on the «Search» button. Double-click to select the user who needs access to this folder, for example, accountant.

In the window that opens, if desired, we can add another user via «Advanced“ — «Search». Similarly, you can add a group of users, such as «Administrators«, but you should understand that access will be granted to all users in this group.

Setting access rights for the user «accountant». If you need full access to the directory, set the checkbox in the appropriate place.

Clicking the «OK «button returns to the folder properties window, where we click on the «Shared access» button.

In this window, you need to find and add the user «accountant».

In the window for selecting users and groups, click the «Advanced» button.

The window will change its size again. Click on the «Search» button. In the list of users and groups found below, select the user you are looking for. Double-click it.

In the remaining window, check whether the user is specified correctly and click «OK«.

Set the required permission level for the user and click on the «Share» button.

Click on the «Done» button.

Connecting to shared folders

from Linux

To connect to shared folders from the Linux environment, you need to install a separate software-smbclient. Establish:

sudo apt-get install smbclient

To connect to the server, use the following command format:

smbclient -U

Example:

smbclient -U buhgalter 10.0.0.1public

In order to avoid typing this command every time, it is possible to configure the mounting of a shared directory as a network drive. To do this, install the CIFS-utils package:

sudo apt-get install cifs-utils

The following template is used for mounting:

mount -t cifs -o username=Everyone,password= //10.0.0.1/public /media

Important! If you need to connect to shared folders located on a Windows server, use “Everyone” as the user name for non-password-protected directories. To connect to a Linux server, we recommend using “nobody” as the user name. If you have access to protected directories, use the credentials you specified.

from Windows

Connecting to deleted folders from the Windows environment is slightly different. To do this, use the following template in Windows Explorer or the program launch window (Windows + R):

By simply specifying the server IP address, you will get a list of shared folders.

When connecting to a Windows server, the security system may require you to enter credentials. To connect to a shared open folder, use Everyone, and leave the password field empty.

When connecting to a Linux server from Windows, use the template specified earlier:

or just the server address: