Samba をスタンドアローンサーバーとして構成

提供: 雑廉堂Wiki
2020年2月20日 (木) 12:01時点におけるMeisina04 (トーク | 投稿記録)による版 (Introduction)

はじめに

ホームネットワークのような小規模なネットーワークや、ドメインの一部ではないホスト上のフォルダ等を共有するために Active DirectoryNT4 Domain を設定したくない場合がよくあります。

下に続く文書では Samba スタンドアローンサーバー のセットアップ方法について説明します。

  • 匿名でアクセス可能な共有 (ゲストアクセス)
  • Samba ホストのユーザーデータベースに対する認証を必要とする共有

Creating a Basic guest only smb.conf File

The following is a minimal configuration for a Samba standalone server that only allows guest access:

[global]
        map to guest = Bad User
        log file = /var/log/samba/%m
        log level = 1

[guest]
        # This share allows anonymous (guest) access
        # without authentication!
        path = /srv/samba/guest/
        read only = no
        guest ok = yes
        guest only = yes

This message box is using an invalid "type=warning" parameter and needs fixing.


Creating a Basic authenticated access smb.conf File

The following is a minimal configuration for a Samba standalone server:

[global]
        log file = /var/log/samba/%m
        log level = 1

[demo]
        # This share requires authentication to access
        path = /srv/samba/demo/
        read only = no


  • You can set a workgroup name with workgroup = xxxxxxxx, where 'xxxxxxxx' is the required name. If the parameter isn't set, the default workgroup name 'WORKGROUP' will be used.
  • The log parameters are not necessary for a minimal setup. However they are useful to set the log file and increasing the log level in case of problems.
  • Whilst these are only minimal smb.conf files, you can add other parameters, such as 'unix password sync = yes' to ensure the Unix & Samba passwords are kept in sync. See 'man smb.conf' for more info.


Creating a Local User Account

To provide authentication on a standalone host, you have to create the accounts locally on the operating system and additionally in the Samba database. By default, Samba uses the tdbsam back end and stores the database in the /usr/local/samba/private/passdb.tdb file. Optionally set a different location in the smb.conf file using the passdb backend parameter. See the smb.conf 5 man page for details.

  • Create a demoUser account on the local system:
# useradd -M -s /sbin/nologin demoUser
Omit the -M parameter if the user requires a home directory on this host. For Samba access, the account does not require a valid shell.
  • To enable the demoUser account on the local system:
# passwd demoUser
Enter new UNIX password: Passw0rd
Retype new UNIX password: Passw0rd
passwd: password updated successfully
Setting a local password is required to enable the account. Samba denies access if the account is disabled locally. Local log ins using this password are not possible if the account was created without a valid shell.
  • Add the demoUser account to the Samba database:
# smbpasswd -a demoUser
New SMB password: Passw0rd
Retype new SMB password: Passw0rd
Added user demoUser.
The password assigned in these steps is the one used by the user to log in to the domain.



Local Group Management

  • To create a demoGroup group:
# groupadd demoGroup
  • To add the demoUser account to the group:
# usermod -aG demoGroup demoUser



Creating the Shared Directories

To create the shares directories:

# mkdir -p /srv/samba/guest/
# mkdir -p /srv/samba/demo/


Setting ACLs on the Shared Directories

Set the following POSIX permissions:

# chgrp -R demoGroup /srv/samba/guest/
# chgrp -R demoGroup /srv/samba/demo/

# chmod 2775 /srv/samba/guest/
# chmod 2770 /srv/samba/demo/

This configures write access to members of the demoGroup group in both directories. Other users have read access in the /srv/samba/guest/ and no access in the /srv/samba/demo/ directory. The SGID bit - represented by the first bit (2) in the mode set on the directories - inherits the group of the parent directory instead setting it to the users primary group when new files are created.

For further information, see Setting up a Share Using POSIX ACLs.



Starting Samba

Start the smbd daemon:

# smbd

Samba does not include start scripts. See your distribution's documentation how further information how to automatically start a service at boot time.



Testing the Share Access

  • Access the demo share as user demoUser:
# smbclient -U demoUser //SA/demo
Enter demoUser's password: Passw0rd
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z]
smb: \> ls
  .                                   D        0  Sun Jan  3 21:00:00 2016
  ..                                  D        0  Sun Jan  3 19:00:00 2016
  demo.txt                            A        0  Sun Jan  3 21:00:00 2016

		9943040 blocks of size 1024. 7987416 blocks available
smb: \> quit
  • Access the demo share as guest. The access is denied:
# smbclient -U guest //SA/demo
Enter guest's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba x.y.z]
tree connect failed: NT_STATUS_ACCESS_DENIED



Advanced share settings

This section describes some advanced share configuration parameters. For further information about the used parameters, see the smb.conf (5) man page.


Using the force Parameters

[demo]
        path = /srv/samba/demo/
        read only = no
        force create mode = 0660
        force directory mode = 2770
        force user = demoUser
        force group = demoGroup

The force create mode and force directory mode parameters force Samba to create new files and folders with the set permissions.

The force user and force group parameters map all connections to the specified user and group. Note that this can cause security problems if all users connecting to a share are mapped to a specific user account or group in the background.


User and Group-based Share Access

See Configuring User and Group-based Share Access.


Host-based Share Access

See Configuring Host-based Share Access.