How to configure a samba share with privileged and unprivileged permissions

A reddit user posted a request for help configuring a samba server to share content across their network on http://www.reddit.com/r/linux.

I offer the recipe/how to below as a possible solution.
It’s targeted at an Ubuntu/Debian installation and tested against Raspbian on my raspberry pi about 10 minutes ago.

The main features are

  • the share allows non-privileged users read only access
  • privileged users have read/write access
  • privileges are based upon being a member of the “multimedia” group
  • By default, the process below shares the home directory of a user called “multimedia”
  • this how-to is a start from scratch including installation of the samba server
  • share names/directories and groups are consistent for easy management
  • variables are used in the below commands for easy modification to suit your system/prefs
  • The commands are presented to allow a straight “copy and paste” implementation, hence writing to the samba config file is done using “tee” rather than instructing the user to open the smb.conf in their favourite editor, scroll to the bottom etc….
  • The below text is intended to all be run as terminal commands, by default I’m using BASH. I ran the commands via an ssh session; but they will work equally well pasted into a terminal window, directly on the serving machine itself.

# Most of the following actions require root level access, let's do it as root

sudo su -

# install samba
apt-get samba install

#
# now the hard part - you have to decide where to serve files from
# and how you wish to manage the files/folders and access to them
#
# Let's assume that your "/home" partition is your largest drive/partition
#
# Let's also assume you want to serve multimedia files to users in
# the (arbitrarily named) "multimedia" group - these people can have read/write
# access, all others can have readonly access. The group name is intended to match the use-case and username for consistency.
# We're going to force files written acrosss the share to have
# default permissions of ug=rw, o=r and group ownership "multimedia"
#
# we're going to use a consistent naming strategy; the default owner, group,
# shared directory and share name are all going to match up - it makes life
# easier like that.

# use a variable for the samba daemon name
SMB_DAEMON="samba";

# use a variable for looking at the log
SMB_LOG="/var/log/samba/log.smbd"

# use a variable for the location of the smb.conf
SMB_CONF="/etc/samba/smb.conf";

# use a variable for the share name/group/user etc...
SHARE_NAME="multimedia";

# use a variable for the "share location" - this can easily be changed if you
# want to share a different location
SHARE_PATH="/home/${SHARE_NAME}";

# add a multimedia user (and by default, multimedia group) and create a multimedia home
useradd -m "${SHARE_NAME}";

# how about some default directories?
mkdir -p "${SHARE_PATH}/music" "${SHARE_PATH}/photos" "${SHARE_PATH}/video/films" "${SHARE_PATH}/video/series"

# set the ownership on the new location
chown -Rf ${SHARE_NAME}.${SHARE_NAME} "${SHARE_PATH}";

# the user and group members should have read/write access, others read only
chmod -Rf ug=rwx,o=rx "${SHARE_PATH}";

# backup your existing samba config (just in case)
cp -a "${SMB_CONF}" "${SMB_CONF}.$( date +%Y%m%d_%H%M%S )";

# now we want to add the share to the bottom of your samba config file,
echo | tee -a ${SMB_CONF};
echo | tee -a ${SMB_CONF};
echo "[${SHARE_NAME}]" | tee -a ${SMB_CONF};
echo " comment = ${SHARE_NAME} share" | tee -a ${SMB_CONF};
echo " path = ${SHARE_PATH}" | tee -a ${SMB_CONF};
echo " public = yes" | tee -a ${SMB_CONF};
echo " writable = yes" | tee -a ${SMB_CONF};
echo " write list = +${SHARE_NAME}" | tee -a ${SMB_CONF};
echo " create mode = 664 #ug=rw,o=r" | tee -a ${SMB_CONF};
echo " directory mode = 775 #ug=rwx,o=rx" | tee -a ${SMB_CONF};
echo " browseable = yes" | tee -a ${SMB_CONF};
echo " force user = ${SHARE_NAME}" | tee -a ${SMB_CONF};
echo " force group = ${SHARE_NAME}" | tee -a ${SMB_CONF};
echo " valid users = @${SHARE_NAME}" | tee -a ${SMB_CONF};

# ask samba to reload the configuration to make it active
service ${SMB_DAEMON} reload

#stop being root
exit

# add yourself to the (in this case) multimedia group, which is the same as the SHARE_NAME, thus making you a privileged user allowed the full read and write access
sudo usermod -a -G${SHARE_NAME} $USER

# give yourself a samba user account/password
sudo smbpasswd -a $USER

# start a watch that monitors the samba process, dir and logs for testing
sudo watch "ps faux | grep -v grep | grep \"smb\|PID\"; echo; ls -lrh ${SHARE_PATH}; echo; tail ${SMB_LOG}"

now try browsing to the machine/share across your network; test it and watch the “monitor” whilst you make changes, such as saving files to one of your share directories.

What does the watch tell you?

Below is an example of the output of the watch statement, it shows you:

  • A list of the samba processes – you get to see how many child processes there are, the CPU usage etc
  • a recursive listing of your newly configured directories and contents
  • the tail of the samba log so that you can see whether there are any errors
  • In my case with the default installation there are some minor issues with CUPS, but nothing to worry about at the moment.
Every 2.0s: ps faux | grep -v grep | grep "smb\|PID"; echo; ls -lrh /home/multimedia; ech...  Sat Oct 13 11:02:14 2012

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      2977  0.0  1.3  18864  3272 ?        Ss   Oct12   0:00 /usr/sbin/smbd -D
root      2995  0.0  0.4  19380  1160 ?        S    Oct12   0:00  \_ /usr/sbin/smbd -D
root      4828  0.0  1.2  19152  2872 ?        S    10:38   0:00  \_ /usr/sbin/smbd -D
root      4836  0.0  1.2  19152  2872 ?        S    10:38   0:00  \_ /usr/sbin/smbd -D
root      4851  0.0  1.2  19152  3056 ?        S    10:38   0:00  \_ /usr/sbin/smbd -D
root      4881  0.0  1.4  19348  3356 ?        S    10:38   0:00  \_ /usr/sbin/smbd -D

total 16K
drwxrwxr-x 4 multimedia multimedia 4.0K Oct 13 10:13 video
drwxrwxr-x 2 multimedia multimedia 4.0K Oct 13 10:13 photos
drwxrwxr-x 2 multimedia multimedia 4.0K Oct 13 10:13 music

[2012/10/13 10:46:18.290102,  0] printing/print_cups.c:487(cups_async_callback)
  failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
[2012/10/13 10:59:18.995271,  0] printing/print_cups.c:110(cups_connect)
  Unable to connect to CUPS server localhost:631 - Connection refused
[2012/10/13 10:59:18.996708,  0] printing/print_cups.c:487(cups_async_callback)
  failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
[2012/10/13 11:02:19.779253,  0] printing/print_cups.c:110(cups_connect)
  Unable to connect to CUPS server localhost:631 - Connection refused
[2012/10/13 11:02:19.780782,  0] printing/print_cups.c:487(cups_async_callback)
  failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL

Hit CTRL + c to terminate the “watch” monitor.
Enjoy!


Tags:

Leave a Reply

Comment Spam Protection by WP-SpamFree