Sunday, July 5, 2015

Samba network shares


Samba background

Samba is a service that basically allows Windows systems to read and write to disks on a Linux system. Previously, I had set up the Samba server to allow unfettered access by any user to the storage drive. However, with a somewhat better understanding of security these days, I decided to work to require a username and password to the Samba share on the network.

There are a few options for how to do this. One way is to manually add every Window's user on the network as a user on the Ubuntu system, and give each one access rights to the Samba share. Another option is to have a generic login and password that all users can use. Since I'm not trying to compartmentalize the Samba share and I just want to provide enough security to prevent any happenstance users from accessing the system, I went with the latter option.

Setting up the share

I already had Samba installed on the system, having checked it off in the Software Selection portion of the Ubuntu Mate installation process (can be run again using sudo tasksel).


In the last incarnation of the server, I had to manually configure the /etc/samba/smb.conf file for Samba use. However, I am a child of the GUI, and I found that there is a front end for the Samba configuration. To get it, run sudo apt-get install system-config-samba, or just use the Synaptic Package Manager. To open the config program, go to System>Administration>Samba.




One thing to note: make sure to restart samba after you make any changes, as it doesn't seem to update on its own.
sudo service smbd restart
I created a new account called "mancusouser" for all computers on the network to access the shared drive, as well as a corresponding group. This page was helpful for learning how to set a primary group for a user.

To enable the correct mounting of the storage drive on the server, I used gnome-disk-utility, which is basically a GUI front end for fstab. It worked really well, and I highly recommend checking it out if you feel more comfortable with something taking care of the nitty-gritty details for you.

Troubleshooting

Of course, nothing worked correctly at first.

My first attempt to make the Samba share was actually successful, but this was using the default login "gordon" for access to the share. After changing to just "mancusouser" having access, I of course had to log in as the new user from the Windows side. However, after doing so, I got a network permissions error message like the one below:

Error: Network Error Windows cannot access \\HICKS\charlesr\www You do not have permission to access \\HICKS\charlesr\www. Contact your network administrator to request access.

Using my deductive skills, I assumed this was an issue with permissions. I looked at the default mount location, which was /media/gordon/Elements, and saw that the permissions were only for the user "gordon". I tried to change this using chmod, but that didn't work. I found out that you cannot change the permissions of an NTFS formatted drive, which this drive sadly is (it used to be an external drive, so at the time NTFS made sense).

To rectify this, use options when mounting the drive. For example, to mount a drive using a specified user and group ID,
mount -o uid=userID,gid=groupID /dev/sdc /path/to/mount
To find the correct user and group ID numbers, look at /etc/passwd (for user) and /etc/group (for group). These options can also be written into fstab, which is what I did, making the owner and group of the mount "mancusouser" and "mancusofam".

After making this change, I tried again, but still was presented with the permissions error. I found this page helpful for showing how to delete network share passwords, which let me "refresh" the login as needed without having to reboot. But despite this, I still couldn't connect using the "mancusouser" login.


Finally, I noticed one strange thing: the permissions on the /media/gordon folder had a plus sign (+) after them. A bit of Googling told me that this means the folder uses Access Control Lists to restrict access to the contents. I didn't really want to learn all about these, so I just changed the mount point to /media/Elements, and now it all is working fine.

Below are the final settings as seen in Disks:

SyncBack configuration

I ran into one more issue as I was wrapping things up. I found that SyncBackSE, which I use for backing up from our systems to the server, could not see the network share drive. It turns out that there is a "feature" in Windows Vista and later that prevents programs with elevated (i.e. "administrator") privileges from viewing network shares created by non-elevated or standard programs/users. This is pretty counterintuitive. But regardless, there is a registry hack (pulled from here) that turns this behavior off.

Open Regedit, go to
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System
then add a new DWORD entry with the name EnableLinkedConnections, and set the value to 1.

Note: This post is part of a loose series. Go here for a full list of all posts in the series.  
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)