Self-hosted FOSS cloud step 1.3: File sharing with Samba

This is the step 1.3 of this article: http://julien.coubronne.net/a-self-hosted-free-opensource-cloud

Install Samba

The ressources from Debian are great: https://wiki.debian.org/SambaServerSimple

In a nutshell, to install the samba server, client, and configure the deamon:

# apt-get install samba
# apt-get install samba-client
# nano /etc/samba/smb.conf

 

Sync the Unix and Samba passwords

The idea is to have similar passwords between the Unix users (users with an account on the server) and the Samba users (user allowed to connect on the samba shares).

This is an optional step, that may not suit your own needs.

I copy here the following ressource: https://web.archive.org/web/20130530031518/http://jaka.kubje.org/infodump/2007-05-14-unix-samba-password-sync-on-debian-etch (found via https://superuser.com/questions/478521/samba-sync-password-with-unix-password-on-debian-wheezy).

Assumptions

  • All users of the system are happy with using their Unix passwords for Samba,
  • all Unix users will have a Samba account with the same username,
  • Unix and/or Samba accounts might already exist, possibly with non-matching passwords.

Prerequisites

Install the following packages:

# apt-get install libpam-smbpass smbclient

Unix -> Samba

In order to update the Samba password whenever a user changes their Unix password, change

/etc/pam.d/common-password: from

password   required   pam_unix.so nullok obscure min=4 max=8 md5

to

password   requisite**  pam_unix.so nullok obscure min=4 max=8 md5
password   required   pam_smbpass.so nullok use_authtok try_first_pass

Changing “required” to “requisite” for pam_unix will make sure that if Unix password change fails, the execution of plugins ends immediately.

In order for this to work, users must already have Samba accounts, and their Samba passwords must match their Unix passwords. Because this is not necessarily the case, we must change

/etc/pam.d/common-auth: from

auth    required        pam_unix.so nullok_secure

to

auth    requisite       pam_unix.so nullok_secure
auth    optional        pam_smbpass.so migrate

This will create a Samba user, if it doesn’t already exist, and change it’s password to the Unix password, whenever the user logs in using SSH or any other service that uses default system (common-auth) authentication.

You should see a message “Added user” when logging in using SSH with an account that doesn’t already have a Samba account.

Because this will also create a Samba account for root, you might want to disable root access in Samba (Debian Etch has it disabled by default):

/etc/samba/smb.conf:

invalid users = root

Caveat: This will not work if the user logs in via SSH or other services without using a password (for example by using public/private key authentication). In this case, PAM won’t have the plain-text password, which is needed to create the Samba password.

Notice: When you modify common-password to also require Samba passwords updates, any currently logged in users will not be able to change their password using “passwd” until they re-login, unless they already have an existing Samba account with a password equal to their Unix password.

Samba -> Unix

We instruct Samba to use PAM when changing passwords:

/etc/samba/smb.conf:

unix password sync = yes
pam password change = yes

Restart Samba using /etc/init.d/samba restart.

Configure PAM to support changing of password by Samba by adding @include common-password:

/etc/pam.d/samba:

@include common-auth
@include common-account
@include common-session
@include common-password

This will use the same mechanism to change passwords when using Samba as when using “passwd”. This means it will require an update of the Unix password before attempting to change the Samba password.

Creating new users

use chpasswd to avoid error:

# useradd test # echo “test:newpass” | chpasswd

Testing

  • Create a new Unix user, use a user without a Samba account, or delete the user’s samba account using smbpasswd -x <username> (as root),
  • login as the user using SSH. You should see a message: "Added user <username>" at the very beginning of the output. Test Samba account using the user’s Unix (and now also Samba) password,
  • change user’s Unix password using passwd and test Samba account again with the new password, to see if changes are reflected there,
  • change the Samba password using smbpasswd and check both Samba account and try to log in using SSH and the new password,
  • change user’s Samba password to something else, as root, using smbpasswd <useranme>,
  • you should not be able to change your account’s password as a normal user at this point, using either passwd or smbpasswd. This is an incorrect state, but it should be fixed automatically the next time the user logs in,
  • login using SSH and your Unix password again. Try connecting to Samba again, to see whether the password was synced correctly at login time.

These steps above have not been tested yet.

Configure the shares

There are a lot of ways to configure the shares within Samba, I strongly recommend to read the documentation: https://www.samba.org/samba/docs/using_samba/ch06.html

This is an example from my own server:

[Shared]
    path = /mnt/Shared
    read only = no
    writeable = yes
    browseable = yes
    valid users = user1, user2

Do not forget to restart the samba server after the changes with:

sudo service smbd restart

Leave a Reply