====== File Server ======
===== Grundlage =====
[[https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server|Setting up Samba as a Standalone Server]]
Final erhalten wir einen Fileserver, der alle Daten unter dem Share \\sv1\data bereitstellt.
**Voraussetzung:**
* Das Server-Gerät mit Betriebssystem nach Anleitung unter [[devices:server|Server]] installieren.
nano /etc/hosts
127.0.0.1 localhost
#127.0.1.1 sv1 (auskommentieren)
192.168.178.2 sv1..spnds.org sv1
===== Installation von Samba =====
apt install acl samba smbclient
Samba Share Stammverzeichnis anlegen
mkdir -p /srv/disk0/samba
mkdir -p /srv/disk1/samba
===== Samba-Benutzer =====
Die Benutzer müssen erst lokal auf dem Server angelegt und dann für Samba berechtigt werden.
useradd -s /sbin/nologin
useradd -s /sbin/nologin mediaplayer
useradd -s /sbin/nologin scanner
Passwort setzen
passwd
passwd mediaplayer
passwd scanner
Samba-Passwort setzen
smbpasswd -a
smbpasswd -a mediaplayer
smbpasswd -a scanner
Samba Account aktivieren
smbpasswd -e
smbpasswd -e mediaplayer
smbpasswd -e scanner
===== Samba-Gruppen =====
Hauptgruppen
groupadd smb-admins
groupadd smb-users
Für jedes Share (außer data und temp) je eine Gruppe für den Schreib-/ Lesezugriff:
groupadd smb-backups-ro
groupadd smb-backups-rw
groupadd smb-music-ro
groupadd smb-music-rw
groupadd smb-photos-ro
groupadd smb-photos-rw
groupadd smb-software-ro
groupadd smb-software-rw
groupadd smb-videos-ro
groupadd smb-videos-rw
Gruppen-Benutzer Zuweisungen
usermod -G smb-admins -a
usermod -G smb-users -a
usermod -G smb-users -a mediaplayer
usermod -G smb-users -a scanner
Benutzer hinzufügen
usermod -G smb-backups-rw -a
usermod -G smb-music-rw -a
usermod -G smb-photos-rw -a
usermod -G smb-software-rw -a
usermod -G smb-videos-rw -a
usermod -G smb-music-ro -a mediaplayer
usermod -G smb-photos-ro -a mediaplayer
usermod -G smb-videos-ro -a mediaplayer
Kontrolle
groups smb-admin
groups
groups mediaplayer
groups scanner
===== Shares erstellen =====
Ordner anlegen
mkdir -p /srv/disk0/samba/backups/
mkdir -p /srv/disk0/samba/data/
mkdir -p /srv/disk0/samba/temp/
mkdir -p /srv/disk1/samba/music/
mkdir -p /srv/disk1/samba/photos/
mkdir -p /srv/disk1/samba/software/
mkdir -p /srv/disk1/samba/videos/
chown -R root:smb-admins /srv/disk0/samba/backups/
chown -R root:smb-admins /srv/disk0/samba/data/
chown -R root:smb-admins /srv/disk0/samba/temp/
chown -R root:smb-admins /srv/disk1/samba/music/
chown -R root:smb-admins /srv/disk1/samba/photos/
chown -R root:smb-admins /srv/disk1/samba/software/
chown -R root:smb-admins /srv/disk1/samba/videos/
chmod 2770 /srv/disk0/samba/backups/
chmod 2770 /srv/disk0/samba/data/
chmod 2770 /srv/disk0/samba/temp/
chmod 2770 /srv/disk1/samba/music/
chmod 2770 /srv/disk1/samba/photos/
chmod 2770 /srv/disk1/samba/software/
chmod 2770 /srv/disk1/samba/videos/
===== Extended ACLs =====
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs#Setting_Extended_ACLs
Set the permissions on the directory
setfacl -m group:"smb-backups-rw":rwx /srv/disk0/samba/backups/
setfacl -m group:"smb-backups-ro":r-x /srv/disk0/samba/backups/
setfacl -R -m other::--- /srv/disk0/samba/backups/
setfacl -m group:"smb-users":r-x /srv/disk0/samba/data/
setfacl -R -m other::--- /srv/disk0/samba/data/
setfacl -m group:"smb-users":rwx /srv/disk0/samba/temp/
setfacl -R -m other::--- /srv/disk0/samba/temp/
setfacl -m group:"smb-music-rw":rwx /srv/disk1/samba/music/
setfacl -m group:"smb-music-ro":r-x /srv/disk1/samba/music/
setfacl -R -m other::--- /srv/disk1/samba/music/
setfacl -m group:"smb-photos-rw":rwx /srv/disk1/samba/photos/
setfacl -m group:"smb-photos-ro":r-x /srv/disk1/samba/photos/
setfacl -R -m other::--- /srv/disk1/samba/photos/
setfacl -m group:"smb-software-rw":rwx /srv/disk1/samba/software/
setfacl -m group:"smb-software-ro":r-x /srv/disk1/samba/software/
setfacl -R -m other::--- /srv/disk1/samba/software/
setfacl -m group:"smb-videos-rw":rwx /srv/disk1/samba/videos/
setfacl -m group:"smb-videos-ro":r-x /srv/disk1/samba/videos/
setfacl -R -m other::--- /srv/disk1/samba/videos/
Configure the same permissions set are inherited to new file system objects created in this directory:
setfacl -m default:group:"smb-backups-rw":rwx /srv/disk0/samba/backups/
setfacl -m default:group:"smb-backups-ro":r-x /srv/disk0/samba/backups/
setfacl -m default:other::--- /srv/disk0/samba/backups/
setfacl -m default:group:"smb-users":r-x /srv/disk0/samba/data/
setfacl -m default:other::--- /srv/disk0/samba/data/
setfacl -m default:group:"smb-users":rwx /srv/disk0/samba/temp/
setfacl -m default:other::--- /srv/disk0/samba/temp/
setfacl -m default:group:"smb-music-rw":rwx /srv/disk1/samba/music/
setfacl -m default:group:"smb-music-ro":r-x /srv/disk1/samba/music/
setfacl -m default:other::r-x /srv/disk1/samba/music/
setfacl -m default:group:"smb-photos-rw":rwx /srv/disk1/samba/photos/
setfacl -m default:group:"smb-photos-ro":r-x /srv/disk1/samba/photos/
setfacl -m default:other::--- /srv/disk1/samba/photos/
setfacl -m default:group:"smb-software-rw":rwx /srv/disk1/samba/software/
setfacl -m default:group:"smb-software-ro":r-x /srv/disk1/samba/software/
setfacl -m default:other::--- /srv/disk1/samba/software/
setfacl -m default:group:"smb-videos-rw":rwx /srv/disk1/samba/videos/
setfacl -m default:group:"smb-videos-ro":r-x /srv/disk1/samba/videos/
setfacl -m default:other::--- /srv/disk1/samba/videos/
Kontrolle
getfacl /srv/disk1/samba/videos
getfacl: Removing leading '/' from absolute path names
# file: srv/disk1/samba/videos
# owner: root
# group: smb-admins
# flags: -s-
user::rwx
group::rwx
group:smb-videos-ro:r-x (Set the permissions on the directory)
group:smb-videos-rw:rwx (Set the permissions on the directory)
mask::rwx
other::--- (Set the permissions on the directory)
default:user::rwx
default:group::rwx
default:group:smb-videos-ro:r-x (Configure the same permissions set are inherited to new file system objects created in this directory)
default:group:smb-videos-rw:rwx (Configure the same permissions set are inherited to new file system objects created in this directory)
default:mask::rwx
default:other::--- (Configure the same permissions set are inherited to new file system objects created in this directory)
===== Samba-Konfiguration =====
Solange nur Microsoft Windows 10 (oder höher) im Einsatz sind die SMB-Protokoll-Version auf 3 setzen. Dann ist auch nur der Firewall Port 445 zu öffen.
sudo -i
mv /etc/samba/smb.conf /etc/samba/smb.conf.org
nano /etc/samba/smb.conf
[global]
workgroup = HOME
server role = standalone
acl allow execute always = yes
protocol = SMB3
# Enable Extended ACL Support
# map acl inherit = yes
# store dos attributes = yes
# vfs objects = acl_xattr
# Access based enumeration
# hide unreadable = yes
[backups]
path = /srv/disk0/samba/backups/
inherit acls = yes
guest ok = no
read only = no
[data]
path = /srv/disk0/samba/data/
inherit acls = yes
guest ok = no
read only = no
[music]
path = /srv/disk1/samba/music/
inherit acls = yes
guest ok = no
read only = no
[photos]
path = /srv/disk1/samba/photos/
inherit acls = yes
guest ok = no
read only = no
[software]
path = /srv/disk1/samba/software/
inherit acls = yes
guest ok = no
read only = no
[temp]
path = /srv/disk0/samba/temp/
inherit acls = yes
guest ok = no
read only = no
[videos]
path = /srv/disk1/samba/videos/
inherit acls = yes
guest ok = no
read only = no
* Den Abschnitt [homes] komplett auskommentieren
**Test und Start von SAMBA:**
testparm
systemctl enable smbd
systemctl enable nmbd
systemctl restart smbd
systemctl restart nmbd
**Samba Config neu laden**
smbcontrol all reload-config
**Data-Share zusammenbauen**
mkdir -p /srv/disk0/samba/data/Backups
mkdir -p /srv/disk0/samba/data/Temp
mkdir -p /srv/disk0/samba/data/Music
mkdir -p /srv/disk0/samba/data/Photos
mkdir -p /srv/disk0/samba/data/Software
mkdir -p /srv/disk0/samba/data/Videos
mount -o bind /srv/disk0/samba/backups/ /srv/disk0/samba/data/Backups/
mount -o bind /srv/disk0/samba/temp/ /srv/disk0/samba/data/Temp/
mount -o bind /srv/disk1/samba/music/ /srv/disk0/samba/data/Music/
mount -o bind /srv/disk1/samba/photos/ /srv/disk0/samba/data/Photos/
mount -o bind /srv/disk1/samba/software/ /srv/disk0/samba/data/Software/
mount -o bind /srv/disk1/samba/videos/ /srv/disk0/samba/data/Videos/
nano /lib/systemd/system/smb-data.service
[Unit]
Description=Data-Share zusammenfügen
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/mount -o bind /srv/disk0/samba/backups/ /srv/disk0/samba/data/Backups/
ExecStart=/bin/mount -o bind /srv/disk0/samba/temp/ /srv/disk0/samba/data/Temp/
ExecStart=/bin/mount -o bind /srv/disk1/samba/music/ /srv/disk0/samba/data/Music/
ExecStart=/bin/mount -o bind /srv/disk1/samba/photos/ /srv/disk0/samba/data/Photos/
ExecStart=/bin/mount -o bind /srv/disk1/samba/software/ /srv/disk0/samba/data/Software/
ExecStart=/bin/mount -o bind /srv/disk1/samba/videos/ /srv/disk0/samba/data/Videos/
ExecStop=/bin/umount /srv/disk0/samba/data/Videos/
ExecStop=/bin/umount /srv/disk0/samba/data/Software/
ExecStop=/bin/umount /srv/disk0/samba/data/Photos/
ExecStop=/bin/umount /srv/disk0/samba/data/Music/
ExecStop=/bin/umount /srv/disk0/samba/data/Temp/
ExecStop=/bin/umount /srv/disk0/samba/data/Backups/
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl start smb-data
systemctl enable smb-data
systemctl status smb-data
**Log-Files in /var/log/samba**
===== Firewall =====
Für SMB3 wird nur Port 445 benötigt.
# ufw allow from 192.168.178.0/24 to any port 137 proto udp
# ufw allow from 192.168.178.0/24 to any port 138 proto udp
# ufw allow from 192.168.178.0/24 to any port 139 proto udp
ufw allow from 192.168.178.0/24 to any port 445 proto tcp
ufw status
===== Test =====
smbclient -U //sv1/videos