From eBower Wiki
Jump to: navigation, search

What is Samba?

Samba is an expanded form of SMB - the Server Message Block protocol. In a nutshell it's a rather painful and chatty protocol used for Windows shares.

Why not NFS?

NFS <v4 was pretty broken from a security perspective. NFS4 fixes this, but at the cost of complexity. And I run a multi-device household: a bunch of Linux servers, I use Linux workstations (a laptop and a desktop), my wife uses Windows 7 (again, a laptop and a desktop), plus I've got Android devices, a Google TV, and who knows what else in the future. Samba just seems to cover the bases for much of what I want, and sshfs can fill in the gaps.

Plus I want to work towards centralized authentication. With all of my devices and servers password rotation is a bear. I could either script it, or use Samba as an authentication mechanism since Samba already needs to know all of the users in the network. With NFS I'd need to configure NFS plus an LDAP server. And I'd need both to talk to Samba anyway for the Windows devices.

Configuring a Samba File Server

First, we need to install Samba:

sudo apt-get install samba smbfs

Now we need to edit /etc/samba/smb.conf. You may want to change a few things in this file.

  • workgroup: This will setup the name of the workgroup, essentially the network folder the server will appear in. I usually like to change this to something a bit more personalized than WORKGROUP.
  • server string: You can change the name of the server here if you feel strongly about it.
  • security: I'd recommend changing the security model to user. If you're just sharing files and don't care who sees them feel free to leave the default, but anything with write access or secure files should be set to user. This means that you'll need a user account for everyone who needs to access the system. But this is great when you want to use your Samba server to authenticate users anyway.
  • [profiles]: Uncomment this and map it to the homes directory.

Mounting Samba Shares in /etc/fstab

First you'll need to install the requisite packages:

sudo apt-get install smbclient cifs-utils

Mounting shares should be done automatically, so we can edit /etc/fstab and add the following line:

//smb-server/share /mount/point cifs username=me,password=mypass,_netdev 0 0

Now you can just run "sudo mount /mount/point" and it should mount automatically. The _netdev should tell it not to bother mounting the volume unless the network is working. Of course, anyone who logs into your system can cat /etc/fstab and get your password.

The better method is to create a directory that only root can access and store your credentials there.

sudo mkdir /etc/smbusers
sudo chmod 700 /etc/smbusers
sudo echo "username=me" >> /etc/smbusers/me
sudo echo "password=mypass" >> /etc/smbusers/me
sudo chmod 100 /etc/smbusers/me

Of course, you should probably just use vim instead of echoing each line individually, but otherwise things would look messier. Now we need to edit /etc/fstab to include this line:

//smb-server/share /mount/point cifs credentials=/etc/smbusers/me,_netdev 0 0

Now you see why I didn't try to hide the file, it's still in plain sight. On the plus side, they need root access to see the password, which means they need your password to see your password. Imperfect security, but still better than none at all. Especially if you use a throwaway password to access the share.

If you have problems with the server shutting down, we may need to change the order it unmounts the drives:

sudo update-rc.d -f umountnfs.sh remove
sudo update-rc.d umountnfs.sh stop 15 0 6 .

I've had issues with servers not being able to resolve the hostname properly on boot. I've tried editing /etc/nsswitch.conf to add "wins" to the "hosts:" line to no avail. I ended up editing /etc/hosts to add a reference to my storage server which seems to have fixed the issue, I'll have to make sure my DNS server is configured to hand out the appropriate A record when I get around to configuring it.

Configuring a Samba Authenticator

TBD

sudo apt-get install libpam-smbpass