This is the step 1.3 of this article: http://julien.coubronne.net/a-self-hosted-free-opensource-cloud
In this article, we will:
- Install Samba
- Sync the Unix and Samba passwords
- Test the configuration and configure the Samba shares
The ressources from Debian are great: https://wiki.debian.org/SambaServerSimple
In a nutshell, to install the samba server, client, and configure the deamon:
# apt-get install samba # apt-get install samba-client # nano /etc/samba/smb.conf
Sync the Unix and Samba passwords
The idea is to have similar passwords between the Unix users (users with an account on the server) and the Samba users (user allowed to connect on the samba shares).
This is an optional step, that may not suit your own needs.
I copy here the following ressource: https://web.archive.org/web/20130530031518/http://jaka.kubje.org/infodump/2007-05-14-unix-samba-password-sync-on-debian-etch (found via https://superuser.com/questions/478521/samba-sync-password-with-unix-password-on-debian-wheezy).
- All users of the system are happy with using their Unix passwords for Samba,
- all Unix users will have a Samba account with the same username,
- Unix and/or Samba accounts might already exist, possibly with non-matching passwords.
Install the following packages:
# apt-get install libpam-smbpass smbclient
Unix -> Samba
In order to update the Samba password whenever a user changes their Unix password, change
password required pam_unix.so nullok obscure min=4 max=8 md5
password requisite** pam_unix.so nullok obscure min=4 max=8 md5 password required pam_smbpass.so nullok use_authtok try_first_pass
Changing « required » to « requisite » for pam_unix will make sure that if Unix password change fails, the execution of plugins ends immediately.
In order for this to work, users must already have Samba accounts, and their Samba passwords must match their Unix passwords. Because this is not necessarily the case, we must change
auth required pam_unix.so nullok_secure
auth requisite pam_unix.so nullok_secure auth optional pam_smbpass.so migrate
This will create a Samba user, if it doesn’t already exist, and change it’s password to the Unix password, whenever the user logs in using SSH or any other service that uses default system (common-auth) authentication.
You should see a message « Added user » when logging in using SSH with an account that doesn’t already have a Samba account.
Because this will also create a Samba account for root, you might want to disable root access in Samba (Debian Etch has it disabled by default):
invalid users = root
Caveat: This will not work if the user logs in via SSH or other services without using a password (for example by using public/private key authentication). In this case, PAM won’t have the plain-text password, which is needed to create the Samba password.
Notice: When you modify common-password to also require Samba passwords updates, any currently logged in users will not be able to change their password using « passwd » until they re-login, unless they already have an existing Samba account with a password equal to their Unix password.
Samba -> Unix
We instruct Samba to use PAM when changing passwords:
unix password sync = yes pam password change = yes
Restart Samba using /etc/init.d/samba restart.
Configure PAM to support changing of password by Samba by adding @include common-password:
@include common-auth @include common-account @include common-session @include common-password
This will use the same mechanism to change passwords when using Samba as when using « passwd ». This means it will require an update of the Unix password before attempting to change the Samba password.
Creating new users
use chpasswd to avoid error:
# useradd test # echo “test:newpass” | chpasswd
- Create a new Unix user, use a user without a Samba account, or delete the user’s samba account using
smbpasswd -x <username>(as root),
- login as the user using SSH. You should see a message:
"Added user <username>"at the very beginning of the output. Test Samba account using the user’s Unix (and now also Samba) password,
- change user’s Unix password using
passwdand test Samba account again with the new password, to see if changes are reflected there,
- change the Samba password using
smbpasswdand check both Samba account and try to log in using SSH and the new password,
- change user’s Samba password to something else, as root, using
- you should not be able to change your account’s password as a normal user at this point, using either
smbpasswd. This is an incorrect state, but it should be fixed automatically the next time the user logs in,
- login using SSH and your Unix password again. Try connecting to Samba again, to see whether the password was synced correctly at login time.
These steps above have not been tested yet.
Configure the shares
There are a lot of ways to configure the shares within Samba, I strongly recommend to read the documentation: https://www.samba.org/samba/docs/using_samba/ch06.html
This is an example from my own server:
[Shared] path = /mnt/Shared read only = no writeable = yes browseable = yes valid users = user1, user2
Do not forget to restart the samba server after the changes with:
sudo service smbd restart