Setting up Samba as a Standalone Server
Final erhalten wir einen Fileserver, der alle Daten unter dem Share \\sv1\data bereitstellt.
Voraussetzung:
nano /etc/hosts
127.0.0.1 localhost #127.0.1.1 sv1 (auskommentieren) 192.168.178.2 sv1.<yourdomain>.spnds.org sv1
apt install acl samba smbclient
Samba Share Stammverzeichnis anlegen
mkdir -p /srv/disk0/samba mkdir -p /srv/disk1/samba
Die Benutzer müssen erst lokal auf dem Server angelegt und dann für Samba berechtigt werden.
useradd -s /sbin/nologin <vorname> useradd -s /sbin/nologin mediaplayer useradd -s /sbin/nologin scanner
Passwort setzen
passwd <vorname> passwd mediaplayer passwd scanner
Samba-Passwort setzen
smbpasswd -a <vorname> smbpasswd -a mediaplayer smbpasswd -a scanner
Samba Account aktivieren
smbpasswd -e <vorname> smbpasswd -e mediaplayer smbpasswd -e scanner
Hauptgruppen
groupadd smb-admins groupadd smb-users
Für jedes Share (außer data und temp) je eine Gruppe für den Schreib-/ Lesezugriff:
groupadd smb-backups-ro groupadd smb-backups-rw groupadd smb-music-ro groupadd smb-music-rw groupadd smb-photos-ro groupadd smb-photos-rw groupadd smb-software-ro groupadd smb-software-rw groupadd smb-videos-ro groupadd smb-videos-rw
Gruppen-Benutzer Zuweisungen
usermod -G smb-admins -a <yourdomain> usermod -G smb-users -a <vorname> usermod -G smb-users -a mediaplayer usermod -G smb-users -a scanner
Benutzer hinzufügen
usermod -G smb-backups-rw -a <vorname> usermod -G smb-music-rw -a <vorname> usermod -G smb-photos-rw -a <vorname> usermod -G smb-software-rw -a <vorname> usermod -G smb-videos-rw -a <vorname> usermod -G smb-music-ro -a mediaplayer usermod -G smb-photos-ro -a mediaplayer usermod -G smb-videos-ro -a mediaplayer
Kontrolle
groups smb-admin groups <vorname> groups mediaplayer groups scanner
Ordner anlegen
mkdir -p /srv/disk0/samba/backups/ mkdir -p /srv/disk0/samba/data/ mkdir -p /srv/disk0/samba/temp/ mkdir -p /srv/disk1/samba/music/ mkdir -p /srv/disk1/samba/photos/ mkdir -p /srv/disk1/samba/software/ mkdir -p /srv/disk1/samba/videos/ chown -R root:smb-admins /srv/disk0/samba/backups/ chown -R root:smb-admins /srv/disk0/samba/data/ chown -R root:smb-admins /srv/disk0/samba/temp/ chown -R root:smb-admins /srv/disk1/samba/music/ chown -R root:smb-admins /srv/disk1/samba/photos/ chown -R root:smb-admins /srv/disk1/samba/software/ chown -R root:smb-admins /srv/disk1/samba/videos/ chmod 2770 /srv/disk0/samba/backups/ chmod 2770 /srv/disk0/samba/data/ chmod 2770 /srv/disk0/samba/temp/ chmod 2770 /srv/disk1/samba/music/ chmod 2770 /srv/disk1/samba/photos/ chmod 2770 /srv/disk1/samba/software/ chmod 2770 /srv/disk1/samba/videos/
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs#Setting_Extended_ACLs
Set the permissions on the directory
setfacl -m group:"smb-backups-rw":rwx /srv/disk0/samba/backups/ setfacl -m group:"smb-backups-ro":r-x /srv/disk0/samba/backups/ setfacl -R -m other::--- /srv/disk0/samba/backups/ setfacl -m group:"smb-users":r-x /srv/disk0/samba/data/ setfacl -R -m other::--- /srv/disk0/samba/data/ setfacl -m group:"smb-users":rwx /srv/disk0/samba/temp/ setfacl -R -m other::--- /srv/disk0/samba/temp/ setfacl -m group:"smb-music-rw":rwx /srv/disk1/samba/music/ setfacl -m group:"smb-music-ro":r-x /srv/disk1/samba/music/ setfacl -R -m other::--- /srv/disk1/samba/music/ setfacl -m group:"smb-photos-rw":rwx /srv/disk1/samba/photos/ setfacl -m group:"smb-photos-ro":r-x /srv/disk1/samba/photos/ setfacl -R -m other::--- /srv/disk1/samba/photos/ setfacl -m group:"smb-software-rw":rwx /srv/disk1/samba/software/ setfacl -m group:"smb-software-ro":r-x /srv/disk1/samba/software/ setfacl -R -m other::--- /srv/disk1/samba/software/ setfacl -m group:"smb-videos-rw":rwx /srv/disk1/samba/videos/ setfacl -m group:"smb-videos-ro":r-x /srv/disk1/samba/videos/ setfacl -R -m other::--- /srv/disk1/samba/videos/
Configure the same permissions set are inherited to new file system objects created in this directory:
setfacl -m default:group:"smb-backups-rw":rwx /srv/disk0/samba/backups/ setfacl -m default:group:"smb-backups-ro":r-x /srv/disk0/samba/backups/ setfacl -m default:other::--- /srv/disk0/samba/backups/ setfacl -m default:group:"smb-users":r-x /srv/disk0/samba/data/ setfacl -m default:other::--- /srv/disk0/samba/data/ setfacl -m default:group:"smb-users":rwx /srv/disk0/samba/temp/ setfacl -m default:other::--- /srv/disk0/samba/temp/ setfacl -m default:group:"smb-music-rw":rwx /srv/disk1/samba/music/ setfacl -m default:group:"smb-music-ro":r-x /srv/disk1/samba/music/ setfacl -m default:other::r-x /srv/disk1/samba/music/ setfacl -m default:group:"smb-photos-rw":rwx /srv/disk1/samba/photos/ setfacl -m default:group:"smb-photos-ro":r-x /srv/disk1/samba/photos/ setfacl -m default:other::--- /srv/disk1/samba/photos/ setfacl -m default:group:"smb-software-rw":rwx /srv/disk1/samba/software/ setfacl -m default:group:"smb-software-ro":r-x /srv/disk1/samba/software/ setfacl -m default:other::--- /srv/disk1/samba/software/ setfacl -m default:group:"smb-videos-rw":rwx /srv/disk1/samba/videos/ setfacl -m default:group:"smb-videos-ro":r-x /srv/disk1/samba/videos/ setfacl -m default:other::--- /srv/disk1/samba/videos/
Kontrolle
getfacl /srv/disk1/samba/videos
getfacl: Removing leading '/' from absolute path names # file: srv/disk1/samba/videos # owner: root # group: smb-admins # flags: -s- user::rwx group::rwx group:smb-videos-ro:r-x (Set the permissions on the directory) group:smb-videos-rw:rwx (Set the permissions on the directory) mask::rwx other::--- (Set the permissions on the directory) default:user::rwx default:group::rwx default:group:smb-videos-ro:r-x (Configure the same permissions set are inherited to new file system objects created in this directory) default:group:smb-videos-rw:rwx (Configure the same permissions set are inherited to new file system objects created in this directory) default:mask::rwx default:other::--- (Configure the same permissions set are inherited to new file system objects created in this directory)
Solange nur Microsoft Windows 10 (oder höher) im Einsatz sind die SMB-Protokoll-Version auf 3 setzen. Dann ist auch nur der Firewall Port 445 zu öffen.
sudo -i mv /etc/samba/smb.conf /etc/samba/smb.conf.org nano /etc/samba/smb.conf
[global] workgroup = HOME server role = standalone acl allow execute always = yes protocol = SMB3 # Enable Extended ACL Support # map acl inherit = yes # store dos attributes = yes # vfs objects = acl_xattr # Access based enumeration # hide unreadable = yes [backups] path = /srv/disk0/samba/backups/ inherit acls = yes guest ok = no read only = no [data] path = /srv/disk0/samba/data/ inherit acls = yes guest ok = no read only = no [music] path = /srv/disk1/samba/music/ inherit acls = yes guest ok = no read only = no [photos] path = /srv/disk1/samba/photos/ inherit acls = yes guest ok = no read only = no [software] path = /srv/disk1/samba/software/ inherit acls = yes guest ok = no read only = no [temp] path = /srv/disk0/samba/temp/ inherit acls = yes guest ok = no read only = no [videos] path = /srv/disk1/samba/videos/ inherit acls = yes guest ok = no read only = no
Test und Start von SAMBA:
testparm systemctl enable smbd systemctl enable nmbd systemctl restart smbd systemctl restart nmbd
Samba Config neu laden
smbcontrol all reload-config
Data-Share zusammenbauen
mkdir -p /srv/disk0/samba/data/Backups mkdir -p /srv/disk0/samba/data/Temp mkdir -p /srv/disk0/samba/data/Music mkdir -p /srv/disk0/samba/data/Photos mkdir -p /srv/disk0/samba/data/Software mkdir -p /srv/disk0/samba/data/Videos mount -o bind /srv/disk0/samba/backups/ /srv/disk0/samba/data/Backups/ mount -o bind /srv/disk0/samba/temp/ /srv/disk0/samba/data/Temp/ mount -o bind /srv/disk1/samba/music/ /srv/disk0/samba/data/Music/ mount -o bind /srv/disk1/samba/photos/ /srv/disk0/samba/data/Photos/ mount -o bind /srv/disk1/samba/software/ /srv/disk0/samba/data/Software/ mount -o bind /srv/disk1/samba/videos/ /srv/disk0/samba/data/Videos/ nano /lib/systemd/system/smb-data.service
[Unit] Description=Data-Share zusammenfügen [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/mount -o bind /srv/disk0/samba/backups/ /srv/disk0/samba/data/Backups/ ExecStart=/bin/mount -o bind /srv/disk0/samba/temp/ /srv/disk0/samba/data/Temp/ ExecStart=/bin/mount -o bind /srv/disk1/samba/music/ /srv/disk0/samba/data/Music/ ExecStart=/bin/mount -o bind /srv/disk1/samba/photos/ /srv/disk0/samba/data/Photos/ ExecStart=/bin/mount -o bind /srv/disk1/samba/software/ /srv/disk0/samba/data/Software/ ExecStart=/bin/mount -o bind /srv/disk1/samba/videos/ /srv/disk0/samba/data/Videos/ ExecStop=/bin/umount /srv/disk0/samba/data/Videos/ ExecStop=/bin/umount /srv/disk0/samba/data/Software/ ExecStop=/bin/umount /srv/disk0/samba/data/Photos/ ExecStop=/bin/umount /srv/disk0/samba/data/Music/ ExecStop=/bin/umount /srv/disk0/samba/data/Temp/ ExecStop=/bin/umount /srv/disk0/samba/data/Backups/ [Install] WantedBy=multi-user.target
systemctl daemon-reload systemctl start smb-data systemctl enable smb-data systemctl status smb-data
Log-Files in /var/log/samba
Für SMB3 wird nur Port 445 benötigt.
# ufw allow from 192.168.178.0/24 to any port 137 proto udp # ufw allow from 192.168.178.0/24 to any port 138 proto udp # ufw allow from 192.168.178.0/24 to any port 139 proto udp ufw allow from 192.168.178.0/24 to any port 445 proto tcp ufw status
smbclient -U <vorname> //sv1/videos