headerimage
david-halliday.co.uk

Samba file shares to ADS users

This came about after making a mistake in purchasing discussed in my blog. I got some guidance from this article (primarily aimed at gentoo but I was able to convert the small amount I needed) entitled How To Integrate Samba (File Sharing) Using Active Directory For Authentication. And the rest I referenced from my memory and my book Linux in a windows world.

Samba is fully documented on the samba site. Most FAQs and situations are covered in-depth in the samba HowTos.

To summarize (or my quick guide on samba shares) samba shares are surprisingly easy to add. first edit your smb.conf:

/etc/samba/smb.conf

and then to add a share with the name "myshare1" so that everybody has access to it using the directory /home/myshare1 you only need to add this to the end of the file:

[myshare1]
   path = /home/myshare1

And you are done. Its nice to add a comment:

[myshare1]
    path = /home/myshare1
    comment = My first share
  • browseable controls if the share is visible when a user browses a server for shares (better than adding a $ to the end).
  • available toggles the share on and off (useful if you want to disable a share but keep it for future use)
  • writeable allows you to say if the share is read only or writeable.

So we now have this:

[myshare1]
   available = yes
   path = /home/myshare1
   comment = My first share
   browseable = yes
   writeable = yes

So now I have a share that all users can read and write to. But I only want it for staff, no students allowed so now I need to control access

  • valid users allows me to give a list of who is allowed to access this share.

Remembering to add in the AD stuff (this confused me at first) you just add a line like below:

[myshare1]
    available = yes
    path = /home/myshare1
    comment = My first share
    browseable = yes
    writeable = yes
    valid users = @DOMAIN+staff

Now only staff can look at and change these files.

But what about a share staff can add files to and change files but students can only look at? Just add this option:

  • read list allows me to give a list of who is allowed to only read files on the share.

Note that the students have to be in the valid users also

[myshare1]
    available = yes
    path = /home/myshare1
    comment = My first share
    browseable = yes
    writeable = yes
    valid users = @DOMAIN+staff @DOMAIN+students
    read list = @DOMAIN+students

Homes

There is a share called homes. This is a default which allows users to access their home directory (which they can copy files to similar to the FTP for web site stuff). If you don't want this then just put in the "available = no" setting and it wont bother you. The same goes for all the other default shares. If you want to use this with the domain users then the share has to look something like this:

[homes]
   available = yes
   inherit acls = Yes
   comment = Home Directories
   browseable = no
   writeable = yes
   valid users = @DOMAIN+staff @DOMAIN+students

a few notes on how this is different from normal shares:

  • if browseable is set to yes then you will have two shares appear, one called "homes" and one with the users user name.
  • by default all users can look at other users files but not alter any but their own. The file permissions are controlled by the unix file permissions as if you were accessing the files locally from a unix machine.
  • inherit acls is to do with managing permissions. I just left it and things work happily.

Server name

Lastly you may wish to change the name that your users see. "Samba 3.0.20b-3.4-SUSE (ServerName)" isn't pretty and in most cases it may confuse people. To solve this you can change the "server string" option.

You can also add a comment or description using the "comment" option. Both of these can be added to the "general" section of your smb.conf file. example below:

server string = rockhopper
comment = file server

The NAS bit

The reason I looked into this was due to a NAS box not doing ADS authentication. It had good authentication etc... but couldn't use my ADS user names and passwords.

My solution was:

  • Mount the NAS box under /mnt/nasbox
  • share the directories that I wanted to make available to the AD users with relevent permissions

Easier said than done...

First I had to get the server to mount the NAS box on boot. This was done by adding the following to /etc/fstab:

//nas01/share  /mnt/nas01     smbfs   <line break not in file>
username=nasuser,password=naspassword,rw,_netdev,auto 0 0
  • //nas01/share - nas01 is the NAS box nebios name, share is the name of the share
  • /mnt/nas01 - the mount point on my server
  • smbfs - file system type
  • username=nasuser - the user name for the NAS box share
  • password=naspassword - the password for the NAS box share
  • rw - mounts the NAS box for Read and Write
  • _netdev - waits for the network to be working before trying to mount a network drive... for obvious reasons
  • auto - mount this at boot time
  • 0 0 - not important only changes if you want to perform file system checks (which the NAS box does itself)

Then I had to share the box but with those mount settings only root has access to the file system (and for some reason I couldn't get other users access properly). For this I just add the last two lines to the samba configuration of the share so that write access actually works:

[myshare1]
    available = yes
    path = /mnt/nas01/myshare1
    comment = My first share
    browseable = yes
    writeable = yes
    valid users = @DOMAIN+staff @DOMAIN+students
    read list = @DOMAIN+students
    force user = root
    force group = root

This is not needed if you are sharing a normal share. This is only for my unusual situation