19009 Certificate IV I.T (Networking) Network Development
Information Technology
Blacktown College
Activity – Configure basic Samba and NFS services
Document Information Document Owner: WSI1445
File Location: /opt/pdfcoke/conversion/tmp/scratch5/21479819.odt
Created: 25th May, 2008
Modified: 24. Aug. 2009
Author: Stephen King
Page Count: 22
Version: 1.6
Revision History Revision # 1.6
Revision Date 02/11/2008
Description of Modification
Modified by
●
Changed samba exercise for SLES10-Basic SKing
●
Added NFS notes and exercise
● ● ●
SKing
Table of Contents page. Insert entries from line 6.
Table of Contents Document Information..............................................................................................2 Revision History.........................................................................................................2 Copyright...................................................................................................................2 Objectives........................................................................................................................................5 Prerequisite......................................................................................................................................5 Resources.........................................................................................................................................5 VM Information....................................................................................................................................6 Virtual Machine Settings.............................................................................................................6 Interface Configuration...............................................................................................................6 User Configuration......................................................................................................................6 Before You Begin........................................................................................................................6 Activity.................................................................................................................................................7 Configuring the server.....................................................................................................................7 sharing directories..........................................................................................................................10 putting it all together......................................................................................................................12 Creating the “accounts” group..................................................................................................12 Creating new user as member of “accounts” group..................................................................12 Creating the “accounts” directory.............................................................................................12 Creating SMB users..................................................................................................................13 Testing and starting Samba.......................................................................................................13 configuring windows workstation to use samba............................................................................14 Explanatory notes...............................................................................................................................15 share parameters............................................................................................................................15 variables.........................................................................................................................................17 security options..............................................................................................................................18 NFS.....................................................................................................................................................19 Network File System Basics..........................................................................................................19 NFS Configuration Overview........................................................................................................20 Configure NFS server manually....................................................................................................20 Example:...................................................................................................................................21
This page is the blank backing for the Table of Contents Page Do NOT enter any text etc
Blacktown College Information Technology 19009 Certificate IV IT (Networking)
Objectives At the completion of this exercise students should be able to: ●
Explain basic uses of SAMBA
●
Edit the default smb.conf file so that SAMBA can be used for basic file sharing
●
Explain basic uses of NFS
●
Configure a basic NFS server
Prerequisite You should have a basic understanding of the following topics: ●
A basic understanding of SMB and CIFS
●
A basic understanding of NFS
Resources You will require the following: ●
This document
●
The Virtual Machine “SLES10-Basic”. This should be unpacked to V:\Student\.yourFirstName\
●
Access to SLES10SP2.iso. Note: When starting your virtual machine you may get a dialog box asking you about the ID, please select the Keep option.
●
Students should log in using normal user and switch user to root when required.
Copyright © 2007 NSW Dept of Education and Training.
5 of 22
Blacktown College Information Technology 19009 Certificate IV IT (Networking)
VM Information The virtual machine, SLES-Exercises has the following configuration:
Virtual Machine Settings Memory:
512MB
CD-ROM:
Auto Detect
Ethernet:
Host Only
USB Controller:
Present
Vmware Tools:
Installed
Interface Configuration IP Address:
192.168.10.1
Netmask:
255.255.255.0
Host Name:
SVR1
Domain Name:
sample.com
Name Server:
192.168.10.1
Default Gateway:
192.168.10.254
User Configuration Two users have been created: Username
Password
root
secret
student
password
Before You Begin You will need to change the CD-ROM settings so that it points to the SLES10SP2.iso files. You may also wish to copy configuration files from previous exercises to the correct place. Change Ethernet from “Host Only” to “VMNET2” Extract and open a Windows XP VM. Change Ethernet to “VMNET2” and ensure IP address is correct for your network , i.e 192.168.10.20/24.
Copyright © 2007 NSW Dept of Education and Training.
6 of 22
Blacktown College - Information Technology NetDev- Configure basic samba and nfs services
Activity Estimated Completion Time: 30 minutes
Configuring The Server For the most part, configuring Samba begins and ends with the smb.conf file. This is Samba's main configuration file. It has many different configuration options. To avoid confusion, we're going to start only with those options essential to the proper operation of Samba. I'll intersperse commentary along the way to provide you with a good understanding of what each option does. To get started: 1. Move the original /etc/samba/smb.conf file so that we do not overwrite it mv /etc/samba/smb.conf
/etc/samba/smb.conf.orig
2. Now we are going to use our text editor to create a new smb.conf file joe /etc/samba/smb.conf 3. In this new file, type the following: [global] workgroup = OFFICE security = user encrypt passwords = yes The first line tells Samba that we are placing options in the "global" section. There are many options that are intended to be defined only in this section. These options control the global behaviour of Samba. The second line tells Samba the name of the Windows workgroup that Samba will create. On the third line, we tell Samba to run in user-level security mode. This option will cause Samba to tell all connecting Windows clients that they need to provide a valid username/password combination to gain access to any network resource. This is definitely a good thing. User-level security is Samba's most often used security level because it's an excellent match for the majority of file sharing situations. However, there are other security levels available. One handy mode tells Samba to authenticate all users against the security database of an existing Windows NT or 2000
7 of 22
21479819
Blacktown College Information Technology 19009 Certificate IV IT (Networking)
Server. We won't be covering that particular mode in this exercise. If you want more information about it, take a look the "security" option in the smb.conf main page. Now, on to the fourth line. Here we tell Samba to exchange passwords with Samba in encrypted mode. You will always want to run Samba in encrypted mode, unless all your client machines are extremely ancient (like Windows for Workgroups-era machines). Enabling encrypted passwords does cause Samba to need its own password file, in addition to the standard Linux password database. If you are thinking that it may be nice to turn encrypted passwords off, so that you can avoid having to maintain two password files, don't do it! Turning encrypted passwords off will cause sharing problems with even moderately old versions of Windows NT 4.0 in addition to Windows 2000. If you really want to avoid maintaining two separate databases, Samba provides several ways to synchronise both databases, which is a better approach. 4. Now we're ready to add WINS support options to smb.conf. You'll want to add one of the following two options global section. For this exercise, we will use the first option only. wins support = yes OR wins server = IP address of WINS server If you already have a WINS server on your current subnet (a Windows NT Server running WINS, for example), you'll want to use the second option and specify the name of the WINS server on the right side of the equals sign. Samba's internal WINS services will then be disabled, and it will use the WINS server you specify. If you don't have a WINS server running (which we don’t) on your subnet, or you're setting Samba up at home and you don't know exactly what a WINS server is, you'll want to use the first option. This will tell Samba to become a WINS server for your LAN. You may be wondering what WINS does. Basically, you can think of WINS as a local dynamic DNS database. When Samba is running as a WINS server, every Windowscompatible machine on the same subnet will register its IP address and NetBIOS name (a.k.a. "computer name") with Samba. This enables Windows machines to use Samba's WINS database to request an IP address for a particular NetBIOS name. WINS is a key component of network browsing, which is what you are doing when you poke around inside My Network on a Windows machine.
Copyright © 2007 NSW Dept of Education and Training.
8 of 22
Blacktown College - Information Technology NetDev- Configure basic samba and nfs services
5. Now we're ready to add several more options to the global section: local master = yes os level = 99 domain master = yes preferred master = yes Now for an explanation. All these options are related to network browsing. I've already mentioned that WINS is a key component of network browsing, but there's another element required for browsing to work properly. A local master browser must exist. Sound strange? Some further explanation is required. For browsing to work properly, there must be some central location that keeps track of what machines and workgroups exist on the local subnet. This particular list is called the browse list. The browse list is used to construct the list of workgroups, domains, and machines you see when you first click on the Network Neighborhood. Any modern Windows machine can become the local master browser. Ideally, we'd like Samba to be the local master browser on the network. How is this accomplished? Basically, several beefy Windows-compatible machines on your subnet will regularly duke it out by flinging packets back and forth across your LAN in an attempt to determine who will become the local master browser. This process is called a "browser election." In the end the "winner" of this broadcast packet war gets to become the local master browser. We can cause Samba to win the battle by using the os level = 99 option, which causes it to beat every other machine on the LAN. This happens because every version of Windows (from Windows 95 to NT to 2000) has a hard-coded OS level that was intended to cause the most advanced version of Windows to become the local master browser (later versions of Windows have a bigger number). Setting Samba to 99 will cause it to beat all Microsoft products, allowing it to become the local master browser every time.
9 of 22
21479819
Blacktown College Information Technology 19009 Certificate IV IT (Networking)
Sharing Directories Now that we have configured the global options, it is time to create our shares. The first share we are going to create is the default [homes] directory. •
This special share allows all valid users to access their home directories from Windows clients. At the bottom of the smb.conf file, type in the following: [homes] comment = Home directory for %S writable = yes browseable = no valid users = %S create mask = 0664 directory mask = 0775
As I mentioned, this is a "special" share. It doesn't work like ordinary shares. Samba recognises the special identifier "[homes]" and treats this share differently. One of the most unusual things about this share is the use of the "browseable=no " parameter. This particular option causes a share to be invisible under the Network Neighborhood, and it's normally used to deter those malicious users who may be tempted to "explore" any share they can see. But why use it here? The answer is a bit tricky. You see, the "homes" share does create a share called "homes". But that particular share is of no use to us. It doesn't do anything, so we hide it. What the "homes" share does do for us is quite tremendous. It tells Samba to automatically create home directories on the fly for each individual user. For example, let's say we have a user “king” whose share wasn't defined in smb.conf and we explored the Network Neighborhood as NT user "king ". We would find a share called "king" that would behave identically to our original "king" share. If we accessed Samba using the NT user "jimmy", we'd find a perfectly configured "jimmy" share. This is the beauty of homes. Adding one special share causes all home shares to be properly created. Now, how does it work? When the "homes" share is set up, Samba will detect which NT user is accessing Samba. Then it will create a home share that's been customised for this particular user. This share will show up in the Network Neighborhood as if it's a normal, non-dynamic share. The NT user will have no idea that this particular share was created on the fly. Let's look at what each particular option does: The comment parameter uses the %S wildcard, which expands to the actual name of the share. This will cause the "king" share to have the comment "Home directory for king", the "jimmy" share to have the comment "Home directory for jimmy", etc. Again, we use macros in the "valid users=" line so that only the owner of the share and administrator are allowed to access it. "force user" uses a macro too, so that all file access will be performed by a single account. And of course we make the share writeable for any authenticated users. While we use the "browseable=no " parameter, the dynamicallyCopyright © 2007 NSW Dept of Education and Training.
10 of 22
Blacktown College - Information Technology NetDev- Configure basic samba and nfs services
created shares will be browseable when they are created. Again, this just hides the nonfunctional "homes" share. •
Now we will create a share that all valid uses can share. In this example the only valid uses that will be able to share the directory will be those who are members of the “accounts” group: [accounts] comment = Account Depts Folder path = /home/departments/accounts writeable = yes valid users = @accounts create mask = 1660 This share will be called “accounts” and the valid users will be able to see that it is the “Accounts Depts Folder. The location of this folder will be /home/departments/accounts. This folder will be used to store all the shared files of the accounts department. The writeable = yes option allows all valid users to write files to this folder. The “valid users =” option allows the administrator to restrict access to folders to members of groups. The group must be a valid group (set up in /etc/groups). You can also restrict access to certain individuals by entering valid user names. Example valid users = sking @accounts Samba uses the create mask to set the proper permissions on newly created files. The create mask defines which permissions newly created files will allow. The supplied octal number will be combined with the desired permissions using a binary "and" operation. This causes any permission not in the mask to be dropped from the new file's permissions. In this exercise we have set “create mask = 1660”. This means that when a valid user creates a new file in the /home/departments/accounts, the sticky bit will be set so that only the file owner, the directory owner and the root user (administrator) can delete the file. The owner and group members will be able to read and write to the file, while all others will have no access.
•
You can now save the file and exit from joe.
11 of 22
21479819
Blacktown College Information Technology 19009 Certificate IV IT (Networking)
Putting It All Together Before we can start the smb service, we need to ensure that we have all the users, groups, directories and smb users that are required.
Creating The “accounts” Group Type in the following command at the command line: groupadd accounts
Creating New User As Member Of “accounts” Group 1. To add a new user who is a member of the accounts group, use the following command: useradd -m –G accounts Your_first_name The –G accounts option will make the user a member of the accounts group. 2. Now we need to give the user a password: passwd <username> Changing password for <username> New password: password Retype new password: password passwd: all authentication tokens updated successfully
Creating The “accounts” Directory Now to create the new directory and change the group ownership so that the accounts group members have access. •
Create the directory: mkdir -p /home/departments/accounts
•
Change group ownership of the directory: chgrp accounts /home/departments/accounts
Copyright © 2007 NSW Dept of Education and Training.
12 of 22
Blacktown College - Information Technology NetDev- Configure basic samba and nfs services
Creating SMB Users In order for users to be able to use Samba, the following things must exist: •
A valid Linux user account for each user who is going to use Samba
•
A valid “user” entry in the smbpasswd file.
Both accounts are needed because Samba uses the Unix account to set the proper permissions on disk, while the smbpasswd file is used for authentication purposes. 1. To create the smbpasswd entry for our user we will type the following command: smbpasswd –a <username> New SMB password: password Retype new SMB passwd: password Added user username The –a in the above command stands for ADD 2. Now we need to enable the new account: smbpasswd –e <username> This command will enable (-e) the account so that it can use Samba.
Testing And Starting Samba Before starting Samba, it would be a good idea to test to see if our smb.conf file uses the correct syntax. To do this, use the following command: testparm This command will provide error messages if your configuration syntax is incorrect. To start the smb server, use the following command: rcsmb start
13 of 22
21479819
Blacktown College Information Technology 19009 Certificate IV IT (Networking)
Configuring Windows Workstation To Use Samba To configure a Windows machine so that it can participate in your Samba Workgroup, you'll need to make sure the TCP/IP protocol is properly configured. You must also make sure that: •
The workstation is a member of the same workgroup – OFFICE – in this exercise
•
It is best that you have an identical user set up on the Windows workstation – in our case we would add a user with the user name of “your_first_name” and a password of “password” to our Windows workstation.
After you've properly logged in, double-click on the Network Neighborhood and take a look at the OFFICE workgroup. Look inside. See if your Samba server is listed. Double click the listed Samba Server and see if you can see the home share as well as the accounts group share. If you can see and access these… CONGRATULATIONS, IT WORKED If you didn’t see these, well you will need to do some troubleshooting to find out why.
Copyright © 2007 NSW Dept of Education and Training.
14 of 22
Blacktown College - Information Technology NetDev- Configure basic samba and nfs services
Explanatory notes The following sections give a brief overview of the Share Parameters and variables.
Share Parameters We've seen a couple of handy techniques to use when creating shares. In this section I'll cover several popular options that allow you to customise Samba functionality on a per-share basis. All share-related options can also be placed in the [globals] section to set a default value for all shares. comment= The comment = parameter is a very handy option to make your Samba system look more professional from the Windows side. It allows you to specify a comment that accompanies a particular share intended to describe its contents. When specifying comments (especially when using "homes"), I often use the %S macro, which expands to the name of the share. path= path= is one of the most fundamental Samba share parameters. It allows you to set the path to the directory to be exported. Note that by default any symlinks in this directory tree can be followed. So it is possible for users to "jump out" of the directory tree. From the Windows side, they will have no indication that they are following a symlink. It will just appear as a regular file or directory. We'll look at several parameters that can change this behavior to make Samba more secure. force user= force user= is one of my favorite parameters. It forces all file modifications to be performed by the account of a single user. You'll want to use the valid users= option often with this one so that you can limit access to select users. Since all file operations are performed using a single user account, one of the side effects of force-user= is that you can't look at the Unix file permissions to figure out who did what. Thus for writeable shares, the force user= option should be accompanied by reasonable security defaults. Without this option, all file operations will be performed by the Samba user who is accessing the share. browsable= One simple way to enhance your security is to make certain shares invisible. Shares are browseable by default under the Network Neighborhood. Making them invisible can help to deter unwanted hacking attempts. But this should not be used as the only means of security. Just because a share isn't listed in the browse list does not prevent it from being accessed from Windows. It just decreases the amount of information you may potentially be providing to a malicious user. To access a hidden share, you can type its UNC name into the Run... dialog box. For example, the hidden share on myserver called 'test' can be accessed by typing "\\myserver\test" from Windows. available= The available= option, which is 'yes' by default, is just a handy way of disabling a share without commenting it out or erasing it from the smb.conf entirely. Available=no will make the share inactive after Samba is restarted. valid users= Definitely take advantage of the valid users= option to restrict access to certain shares. By default, any authenticated user will be allowed to access a Samba share. You can refer to a valid NIS netgroup or Unix group by appending an "@" to the group name. 15 of 22
21479819
Blacktown College Information Technology 19009 Certificate IV IT (Networking)
dont descend= dont descend= specifies directories in the share that Samba should not enter. This can be handy to prevent Samba from entering a directory that contains recursive symlinks, or to restrict access to irrelevant directories like /proc and /dev. Be sure to test out your dont descend= settings to make sure they are working. You may need to switch "dont descend= /dev " to "dont descend= ./dev", for example. follow symlinks= Follow symlinks= normally defaults to 'yes' and will cause Samba to follow all symlinks, even if they redirect Samba to files or directories outside of the exported directory tree. Setting follow symlinks to 'no' will turn off this functionality, and prevent symlinks from being followed at all. Turning off follow symlinks does eliminate a potential security hole and should be done when symlinks are not needed or required. volume= The volume= option can cause Samba to associate a "volume name" with the particular share. This is especially useful if you are using a Samba share to export the contents of a CD-ROM. Many installation programs will expect to find an exact volume name on the CD, without which they won't work. create mask= Samba uses the create mask to set the proper permissions on newly created files. The create mask defines which permissions newly created files will allow. The supplied octal number will be combined with the desired permissions using a binary "and" operation. This causes any permissions not in the mask to be dropped from the new file's permissions. directory mask= directory mask= works in a manner similar to create mask=. It specifies an octal number that defines those permissions allowed for the new directory.
Copyright © 2007 NSW Dept of Education and Training.
16 of 22
Blacktown College - Information Technology NetDev- Configure basic samba and nfs services
Variables These are the variables you can use in your config file(s): Client variables ---------------%a Client's %I Client's %m Client's %M Client's
architecture (Samba, WinNT, WfWg, Win95, or UNKNOWN) IP address NetBIOS name DNS name
User variables -------------%g Primary group of %u %G Primary group of %U %H Home directory of %u %u Current Unix username %U Requested client username (not always used by Samba) Share variables --------------%p Automouter's path to the share's root directory, if different from %P %P Current share's root directory %S Current share's name Server variables ---------------%d Current sever process ID %h Samba server's DNS hostname %L Samba server's NetBIOS name %N Home directory server, from automount map %v Samba version Miscellaneous variables ----------------------%R The SMB protocol level that was negotiated %T The current date and time
17 of 22
21479819
Blacktown College Information Technology 19009 Certificate IV IT (Networking)
Security Options 1. Here are a few security options that you may be interested in. The host's 'allow' option lets you limit the IP addresses that can connect to Samba: hosts allow = 192.168.0. 127.
This option allows only machines in the 192.168.0 network to connect to Samba, in addition to 127, the localhost. Always make sure there is a 127. at the end of your hosts allow line. 2. The interfaces option is very useful if your machine happens to have multiple network interfaces. It allows you to specify the network interfaces on which Samba is available. It is used as follows: interfaces = eth0 This is an easy way to limit Samba to the necessary interfaces. And limiting the interfaces prevents possible hacking attempts from unwanted users.
Copyright © 2007 NSW Dept of Education and Training.
18 of 22
Blacktown College - Information Technology NetDev- Configure basic samba and nfs services
NFS Network File System (NFS) lets you configure an NFS file server that gives users transparent access to programs, files, or storage space on the server.
Network File System Basics NFS is designed for sharing files and directories over a network, and requires configuration of an NFS server (where the files and directories are located) and NFS clients (computers that access the files and directories remotely). File systems are exported by an NFS server, and appear and behave on a NFS client as if they were located on a local machine. For example, with NFS each user’s home directory can be exported by an NFS server and imported to a client, so the same home directories are accessible from every workstation on the network. Directories like /home/, /opt/, and /usr/ are good candidates for export via NFS. However, others, including /bin/, /boot/, /dev/, /etc/, /lib/, /root/, /sbin/, /tmp/, and /var/, should be available on the local disk only. Using NFS for home directories only makes sense with a central user management (for instance OpenLDAP). The following is an example of mounting the directory /home/ (exported by the NFS Server sun) on the computer earth:
19 of 22
21479819
Blacktown College Information Technology 19009 Certificate IV IT (Networking)
A computer can be both a NFS server and an NFS client. It can supply file systems over the network (export) and mount file systems from other hosts (import). The NFS daemon is part of the kernel and only needs to be configured, then activated. The start script is /etc/init.d/nfsserver. The kernel NFS daemon includes file locking, which means that only 1 user at a time has write access to files.
NFS Configuration Overview All configuration settings for the NFS server are stored in the file /etc/exports. Client-side configuration takes place using the file /etc/fstab. Both will be covered in detail later. Although, both the NFS server and the clients can be configured with YaST modules, You will modify the configuration files directly. For the NFS server to start automatically when the computer is booted, the corresponding symbolic links in the runlevel directories must be generated. Using the command insserv nfsserver.
Configure NFS Server Manually To configure a NFS server manually requires you to edit the /etc/exports file. The general syntax for this file is: directory [host[(option1,option2,option3,...)]] ... A host can be one of the following: ●
A standalone computer with its name in short form (it must be possible to resolve this with name resolution), with its Fully Qualified Domain Name (FQDN), or with its IP address.
●
A network, specified by an address with a netmask or by the domain name with a prefixed placeholder (such as *.digitalairlines.com).
Authorized computers are usually specified with their full names (including domain name), but you can use wildcards like * or ?. If you do not specify a host, or use *, any computer can import the file system with the given permissions. You also need to set permissions for exported directories in /etc/exports. You need to set permission options for the file system to export in parenthesis after the computer name. The most commonlyused options include the following:
Copyright © 2007 NSW Dept of Education and Training.
20 of 22
Blacktown College - Information Technology NetDev- Configure basic samba and nfs services
Option
Meaning
ro
File system is exported with read-only permission (default).
rw
File system is exported with read-write permission. The local file permissions are not overridden.
root_squash
(Default) This ensures that the user root of the given machine does not have root permissions on this file system. This is achieved by assigning user ID 65534 to users with user ID 0 (root). This user ID should be set to nobody (which is the default).
no_root_squash Does not assign user ID 65534 to user ID 0, keeping the root permissions valid.
Example: On the NFS server: ●
Create the directory nfs_mount mkdir /nfs_mount
●
Use joe to open /etc/exports
●
At the end of the file, enter the following line: /nfs_mount *(rw,sync)
Do not put any spaces between the host name, the parentheses enclosing the options, and the option strings themselves. ●
Now start the nfs server – rcnfsserver restart
On a Linux client: ●
From the command line, use the following command: mount -t nfs 172.18.255.254:/nfs_mount /mnt
This line consists of the following parts: Part
Description
mount
This is the mount command used by linux to mount various filesystems
t nfs
This part tells the mount command that it will be mounting a filesystem type of nfs
172.18.255.254
This is the IP address of the NFS server. You could also use the host name of the nfs server.
:/nfs_mount /mnt
This section say to mount the directory /nfs_mount from the server to the /mnt directory on the client.
21 of 22
21479819
Blacktown College Information Technology 19009 Certificate IV IT (Networking)
Copyright © 2007 NSW Dept of Education and Training.
22 of 22