Linux Step By Steps
Image SAMBA(Share level security)

By: Ian Marchak

Tested on Caldera eServer 2.3 with the standard kernel binaries, all patches/updates installed.  Stock SAMBA from the eServer CD.

Date Submitted: 2000-10-21

The following is a rundown of what I did to set up a SAMBA server to act as a peer to peer type client for windows file sharing on the local network.  No password authentication, nothing fancy...maybe later.

Everything that follows was performed as root unless otherwise noted.  Be sure you make a backup of any file you modify, unless you like the pain.

Much of what follows can be found either in the Caldera Support pages, or at www.samba.org.  You can also d/l the HTML version of the O'Reilly book "Using Samba".

1. SECURITY

OK, before you go any further, I recommend making sure your box is secure a la the Security SxS documents especially now that you may be exposing windows style file sharing to the internet.  In my case, the machine that serves as the gateway will also be doing the SAMBA duties.

I have already been through the Security Steps and feel reasonably confident...well not horribly paranoid...about this.  The lines that I added to my ipchains config are as follows: (I am using the ipchains-save / ipchains-restore scripts)

-A input -s 0/0 -d 0/0 137:139 -i eth0 -p 6 -j DENY -l
-A input -s 0/0 -d 0/0 137:139 -i eth0 -p 17 -j DENY -l

-A output -s 0/0 -d 0/0 137:139 -i eth0 -p 6 -j DENY -l
-A output -s 0/0 -d 0/0 137:139 -i eth0 -p 17 -j DENY -l

See also: Section 4 on TCP wrappers for SWAT.

Don't just blindly do what I did and assume it's right...I am no expert. 

Other than that your on your own for security.
 

2. USER AND GROUP

I created a group and user for the file sharing and permissions let's say group:smb and user:smbuser.  Do this with COAS or webmin or whatever tool you want.  Make the $HOME for smbuser /home/public.

After the user is created, you'll want to set the SGID bit on the directory so that files that are saved into that directory are automatically assigned the correct permissions to allow access by all on the network:

chmod 2777 /home/public
 

3. HOSTS FILES

Now make sure your /etc/hosts file has all the correct IP's and names for the machines you want to access SAMBA:

#/etc/hosts
127.0.0.1 localhost localhost.localdomain
192.168.0.1 gateway

192.168.0.10 mypc
192.168.0.11 mylaptop
192.168.0.12 brother
192.168.0.13 mom

Now we need to make a /etc/lmhosts for the mapping of IP hostnames to NetBIOS computer names (Network Neighbourhood):

#/etc/lmhosts
localhost gateway

mypc      mypc
mylaptop  mylaptop
brother   brother
mom       mom

If you really like confusion you can make the NetBIOS name (the right side) different from the IP hostname (the left side)...but I wouldn't recommend it.
 

4. SWAT ∓ CONFIGURING SAMBA

SWAT (Samba Web Admin. Tool) .

SWAT should be in your /etc/inetd.conf by default (at least it was in mine).  If not add:

swat    stream  tcp     nowait.400 root    /usr/sbin/tcpd swat

SWAT is now protected by tcp wrappers (man hosts.allow)  make sure your /etc/hosts.allow file has the following line in it:

swat: 127.0.0.1    192.168.1.

Substitute whatever your local network IP is, add individual hosts for more control (you don't want Mom mucking up your SAMBA config do you!)  You can also specify hosts.allow and hosts.deny from within the SWAT configuration windows adding another layer of security.

If you had to make any changes to /etc/inetd.conf issue the command to restart inetd:

killall -HUP inetd

OK.  Now you can copy over the /etc/samba.d/smb.conf.sample and modify it manually, or just fire up SWAT (after all our hard work,  why not!?)  and it will create a small, tidy smb.conf file you can modify either manually or from within SWAT.

I am not getting into this step too deep, I don't understand a lot of it myself, so what I will do is post a copy of my smb.conf for you to look at/copy. (The names have been changed to protect the innocent):


# Samba config file created using SWAT
# from UNKNOWN (0.0.0.0)
# Date: 2000/10/20 23:11:49

# Global parameters
[global]
        workgroup = MYNETWORK
        netbios name = GATEWAY
        server string = Samba Server on GATEWAY
        interfaces = 192.168.1.1/24 127.0.0.1/24
        bind interfaces only = Yes
        security = SHARE
        max log size = 50
        time server = Yes
        socket options = TCP_NODELAY
        os level = 65
        preferred master = Yes
        # Clears up error logging about being
        # unable to find domain master browser.
        domain master = Yes
        # DOS/Fat32 tracks filetimes in 2 sec. increments
        # Linux tracks in 1 sec. Set for compatiablity with VC++
        dos filetime resolution = True
        dns proxy = No
        wins support = Yes
        guest account = smbuser
        hosts allow = 192.168.1.
        hosts deny = 24.
        printing = lprng

[homes]
       comment = Home Directories
        path = %H/Public
        valid users = %S
        read only = No
        create mask = 0750
        only user = Yes
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        print ok = Yes
        browseable = No

[public]
        comment = Public
        path = /home/public
        write list = @users
        read only = No
        guest ok = Yes
        create mask = 0664
        directory mask = 0775

I don't know what all the entries are yet (ie: printers and homes) but you can check these out with SWAT which has a nice link to help for each of the various options and what they do.  As far as I can tell the only improtant ones to this StepByStep are the Global and Public sections.  All I know is it works for me.
 

5. TESTING SAMBA

Now you're config files are done, directories created, user and group made...let see what happens if you type:

/etc/rc.d/init.d/samba start

If you see no error messages you're probably home free!

Type:

smbclient -L localhost

If your're asked for a password just hit enter.

You should see something like the following:

Added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0
Added interface ip=127.0.0.1 bcast=127.0.0.255 nmask=255.255.255.0
Password: <Just Hit Enter>
Domain=[MYNETWORK] OS=[Unix] Server=[Samba 2.0.5]

Sharename      Type      Comment
---------      ----      -------
public         Disk      Public
IPC$           IPC       IPC Service (Samba Server on Gateway)

Server               Comment
---------            -------
GATEWAY              Samba Server on Gateway

Workgroup            Master
---------            -------
MYNETWORK            GATEWAY

If you get this you're done.  If you get error messages when you try and start SAMBA you'll have to do some troubleshooting, I didn't get error messages so I moved happily along (I did briefly think about the "Don't look a gift horse in the mouth" saying though)

That's it for the SAMBA side of things...now you need to make a few changes to have the Windows machines make use of your hard work.
 

6. CONFIGURING WINDOWS (Ugh!)

The following assumes you already have the machines on you network set up as a peer to peer/share level network.

Set up windows networking to make use of the SAMBA server we just started:

6a. In "Control Panel -> Network", the "Configuration" tab should have the file and printer sharing client installed, make sure you have disabled the "Browse Master" option in the Properties dialogs.  This will be done by SAMBA from now on, that's what the os level = 65 setting was for in smb.conf.

6b. Still on the "Configuration" tab.  Go to the TCP/IP component bound to your network card (not the one bound to your modem), and change the "Properties" of your WINS configuration and specify the SAMBA machine as a WINS server.  Fist "Enable WINS Resolution" , then enter the IP of your SAMBA machine and hit enter.

6c. Now, pick the Identification tab and make sure you have a Computer Name and Workgroup that match what you have in thehosts, lmhosts and smb.conf files on the SAMBA machine.

That sould be it.  The setup for NT would go differently, but you'd still do basically the same things...just in different places.

AFTERWORD

This is really a very basic setup only intended for my brother and I to swap files back and forth without having our machines on all the time.  SAMBA is an amazingly powerful tool capable of much more than this little shared directory setup we just did.  If you take the ball and figure out how to do password level security in a StepByStep format, by all means fire it off to myself or one of the other SxS editors, if you used or were helped by this document, others can use and be helped by your Steps.

TIPS:

If you specify 'timeserver = Yes' you can make a batchfile, say "nettime.bat" and add the command: 'net time \\gateway /set /yes' to it.  Then insert a "run=\pathto\nettime.bat" call into the win.ini files of your windows machines and they'll always be synchronized with the SAMBA machine at startup.  You may want to change the properties on the batch file, to make sure it closes after running so you aren't left with a window open when the time sync is finsihed.

Now just add 'rdate -s time.nrc.ca' as a cron job to the SAMBA machine and you'll always be within tenths of a second of the atomic clock at the National Research Council of Canada. (Or whatever timeserver you want to use.)