Benutzer-Werkzeuge

Webseiten-Werkzeuge


server:fs

File Server

Grundlage

Setting up Samba as a Standalone Server

Final erhalten wir einen Fileserver, der alle Daten unter dem Share \\sv1\data bereitstellt.

Voraussetzung:

  • Das Server-Gerät mit Betriebssystem nach Anleitung unter Server installieren.
nano /etc/hosts

127.0.0.1	localhost
#127.0.1.1	sv1 (auskommentieren)
192.168.178.2   sv1.<yourdomain>.spnds.org	sv1

Installation von Samba

apt install acl samba smbclient

Samba Share Stammverzeichnis anlegen

mkdir -p /srv/disk0/samba
mkdir -p /srv/disk1/samba

Samba-Benutzer

Die Benutzer müssen erst lokal auf dem Server angelegt und dann für Samba berechtigt werden.

useradd -s /sbin/nologin <vorname>
useradd -s /sbin/nologin mediaplayer
useradd -s /sbin/nologin scanner

Passwort setzen

passwd <vorname>
passwd mediaplayer
passwd scanner

Samba-Passwort setzen

smbpasswd -a <vorname>
smbpasswd -a mediaplayer
smbpasswd -a scanner

Samba Account aktivieren

smbpasswd -e <vorname>
smbpasswd -e mediaplayer
smbpasswd -e scanner

Samba-Gruppen

Hauptgruppen

groupadd smb-admins
groupadd smb-users

Für jedes Share (außer data und temp) je eine Gruppe für den Schreib-/ Lesezugriff:

groupadd smb-backups-ro
groupadd smb-backups-rw
groupadd smb-music-ro
groupadd smb-music-rw
groupadd smb-photos-ro
groupadd smb-photos-rw
groupadd smb-software-ro
groupadd smb-software-rw
groupadd smb-videos-ro
groupadd smb-videos-rw

Gruppen-Benutzer Zuweisungen

usermod -G smb-admins -a <yourdomain>
usermod -G smb-users -a <vorname>
usermod -G smb-users -a mediaplayer
usermod -G smb-users -a scanner

Benutzer hinzufügen

usermod -G smb-backups-rw -a <vorname>
usermod -G smb-music-rw -a <vorname>
usermod -G smb-photos-rw -a <vorname>
usermod -G smb-software-rw -a <vorname>
usermod -G smb-videos-rw -a <vorname>

usermod -G smb-music-ro -a mediaplayer
usermod -G smb-photos-ro -a mediaplayer
usermod -G smb-videos-ro -a mediaplayer

Kontrolle

groups smb-admin
groups <vorname>
groups mediaplayer
groups scanner

Shares erstellen

Ordner anlegen

mkdir -p /srv/disk0/samba/backups/
mkdir -p /srv/disk0/samba/data/
mkdir -p /srv/disk0/samba/temp/
mkdir -p /srv/disk1/samba/music/
mkdir -p /srv/disk1/samba/photos/
mkdir -p /srv/disk1/samba/software/
mkdir -p /srv/disk1/samba/videos/

chown -R root:smb-admins /srv/disk0/samba/backups/
chown -R root:smb-admins /srv/disk0/samba/data/
chown -R root:smb-admins /srv/disk0/samba/temp/
chown -R root:smb-admins /srv/disk1/samba/music/
chown -R root:smb-admins /srv/disk1/samba/photos/
chown -R root:smb-admins /srv/disk1/samba/software/
chown -R root:smb-admins /srv/disk1/samba/videos/

chmod 2770 /srv/disk0/samba/backups/
chmod 2770 /srv/disk0/samba/data/
chmod 2770 /srv/disk0/samba/temp/
chmod 2770 /srv/disk1/samba/music/
chmod 2770 /srv/disk1/samba/photos/
chmod 2770 /srv/disk1/samba/software/
chmod 2770 /srv/disk1/samba/videos/

Extended ACLs

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs#Setting_Extended_ACLs

Set the permissions on the directory

setfacl -m group:"smb-backups-rw":rwx /srv/disk0/samba/backups/
setfacl -m group:"smb-backups-ro":r-x /srv/disk0/samba/backups/
setfacl -R -m other::--- /srv/disk0/samba/backups/

setfacl -m group:"smb-users":r-x /srv/disk0/samba/data/
setfacl -R -m other::--- /srv/disk0/samba/data/

setfacl -m group:"smb-users":rwx /srv/disk0/samba/temp/
setfacl -R -m other::--- /srv/disk0/samba/temp/

setfacl -m group:"smb-music-rw":rwx /srv/disk1/samba/music/
setfacl -m group:"smb-music-ro":r-x /srv/disk1/samba/music/
setfacl -R -m other::--- /srv/disk1/samba/music/

setfacl -m group:"smb-photos-rw":rwx /srv/disk1/samba/photos/
setfacl -m group:"smb-photos-ro":r-x /srv/disk1/samba/photos/
setfacl -R -m other::--- /srv/disk1/samba/photos/

setfacl -m group:"smb-software-rw":rwx /srv/disk1/samba/software/
setfacl -m group:"smb-software-ro":r-x /srv/disk1/samba/software/
setfacl -R -m other::--- /srv/disk1/samba/software/

setfacl -m group:"smb-videos-rw":rwx /srv/disk1/samba/videos/
setfacl -m group:"smb-videos-ro":r-x /srv/disk1/samba/videos/
setfacl -R -m other::--- /srv/disk1/samba/videos/

Configure the same permissions set are inherited to new file system objects created in this directory:

setfacl -m default:group:"smb-backups-rw":rwx /srv/disk0/samba/backups/
setfacl -m default:group:"smb-backups-ro":r-x /srv/disk0/samba/backups/
setfacl -m default:other::--- /srv/disk0/samba/backups/

setfacl -m default:group:"smb-users":r-x /srv/disk0/samba/data/
setfacl -m default:other::--- /srv/disk0/samba/data/

setfacl -m default:group:"smb-users":rwx /srv/disk0/samba/temp/
setfacl -m default:other::--- /srv/disk0/samba/temp/

setfacl -m default:group:"smb-music-rw":rwx /srv/disk1/samba/music/
setfacl -m default:group:"smb-music-ro":r-x /srv/disk1/samba/music/
setfacl -m default:other::r-x /srv/disk1/samba/music/

setfacl -m default:group:"smb-photos-rw":rwx /srv/disk1/samba/photos/
setfacl -m default:group:"smb-photos-ro":r-x /srv/disk1/samba/photos/
setfacl -m default:other::--- /srv/disk1/samba/photos/

setfacl -m default:group:"smb-software-rw":rwx /srv/disk1/samba/software/
setfacl -m default:group:"smb-software-ro":r-x /srv/disk1/samba/software/
setfacl -m default:other::--- /srv/disk1/samba/software/

setfacl -m default:group:"smb-videos-rw":rwx /srv/disk1/samba/videos/
setfacl -m default:group:"smb-videos-ro":r-x /srv/disk1/samba/videos/
setfacl -m default:other::--- /srv/disk1/samba/videos/

Kontrolle

getfacl /srv/disk1/samba/videos

getfacl: Removing leading '/' from absolute path names
# file: srv/disk1/samba/videos
# owner: root
# group: smb-admins
# flags: -s-
user::rwx
group::rwx
group:smb-videos-ro:r-x		(Set the permissions on the directory)
group:smb-videos-rw:rwx		(Set the permissions on the directory)
mask::rwx
other::---			(Set the permissions on the directory)
default:user::rwx
default:group::rwx
default:group:smb-videos-ro:r-x	(Configure the same permissions set are inherited to new file system objects created in this directory)
default:group:smb-videos-rw:rwx	(Configure the same permissions set are inherited to new file system objects created in this directory)
default:mask::rwx
default:other::---		(Configure the same permissions set are inherited to new file system objects created in this directory)

Samba-Konfiguration

Solange nur Microsoft Windows 10 (oder höher) im Einsatz sind die SMB-Protokoll-Version auf 3 setzen. Dann ist auch nur der Firewall Port 445 zu öffen.

sudo -i
mv /etc/samba/smb.conf /etc/samba/smb.conf.org
nano /etc/samba/smb.conf

[global]
	workgroup = HOME
	server role = standalone
	acl allow execute always = yes
	protocol = SMB3

# Enable Extended ACL Support
#	map acl inherit = yes
#	store dos attributes = yes
#	vfs objects = acl_xattr

# Access based enumeration
#	hide unreadable = yes

[backups]
  path = /srv/disk0/samba/backups/
  inherit acls = yes
  guest ok = no
  read only = no

[data]
  path = /srv/disk0/samba/data/
  inherit acls = yes
  guest ok = no
  read only = no

[music]
  path = /srv/disk1/samba/music/
  inherit acls = yes
  guest ok = no
  read only = no

[photos]
  path = /srv/disk1/samba/photos/
  inherit acls = yes
  guest ok = no
  read only = no

[software]
  path = /srv/disk1/samba/software/
  inherit acls = yes
  guest ok = no
  read only = no

[temp]
  path = /srv/disk0/samba/temp/
  inherit acls = yes
  guest ok = no
  read only = no

[videos]
  path = /srv/disk1/samba/videos/
  inherit acls = yes
  guest ok = no
  read only = no

  • Den Abschnitt [homes] komplett auskommentieren

Test und Start von SAMBA:

testparm
systemctl enable smbd
systemctl enable nmbd
systemctl restart smbd
systemctl restart nmbd

Samba Config neu laden

smbcontrol all reload-config

Data-Share zusammenbauen

mkdir -p /srv/disk0/samba/data/Backups
mkdir -p /srv/disk0/samba/data/Temp
mkdir -p /srv/disk0/samba/data/Music
mkdir -p /srv/disk0/samba/data/Photos
mkdir -p /srv/disk0/samba/data/Software
mkdir -p /srv/disk0/samba/data/Videos

mount -o bind /srv/disk0/samba/backups/ /srv/disk0/samba/data/Backups/
mount -o bind /srv/disk0/samba/temp/ /srv/disk0/samba/data/Temp/
mount -o bind /srv/disk1/samba/music/ /srv/disk0/samba/data/Music/
mount -o bind /srv/disk1/samba/photos/ /srv/disk0/samba/data/Photos/
mount -o bind /srv/disk1/samba/software/ /srv/disk0/samba/data/Software/
mount -o bind /srv/disk1/samba/videos/ /srv/disk0/samba/data/Videos/

nano /lib/systemd/system/smb-data.service

[Unit]
Description=Data-Share zusammenfügen
 
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/mount -o bind /srv/disk0/samba/backups/ /srv/disk0/samba/data/Backups/
ExecStart=/bin/mount -o bind /srv/disk0/samba/temp/ /srv/disk0/samba/data/Temp/
ExecStart=/bin/mount -o bind /srv/disk1/samba/music/ /srv/disk0/samba/data/Music/
ExecStart=/bin/mount -o bind /srv/disk1/samba/photos/ /srv/disk0/samba/data/Photos/
ExecStart=/bin/mount -o bind /srv/disk1/samba/software/ /srv/disk0/samba/data/Software/
ExecStart=/bin/mount -o bind /srv/disk1/samba/videos/ /srv/disk0/samba/data/Videos/
ExecStop=/bin/umount /srv/disk0/samba/data/Videos/
ExecStop=/bin/umount /srv/disk0/samba/data/Software/
ExecStop=/bin/umount /srv/disk0/samba/data/Photos/
ExecStop=/bin/umount /srv/disk0/samba/data/Music/
ExecStop=/bin/umount /srv/disk0/samba/data/Temp/
ExecStop=/bin/umount /srv/disk0/samba/data/Backups/

[Install]
WantedBy=multi-user.target

systemctl daemon-reload
systemctl start smb-data
systemctl enable smb-data
systemctl status smb-data

Log-Files in /var/log/samba

Firewall

Für SMB3 wird nur Port 445 benötigt.

# ufw allow from 192.168.178.0/24 to any port 137 proto udp
# ufw allow from 192.168.178.0/24 to any port 138 proto udp
# ufw allow from 192.168.178.0/24 to any port 139 proto udp
ufw allow from 192.168.178.0/24 to any port 445 proto tcp
ufw status

Test

smbclient -U <vorname> //sv1/videos
server/fs.txt · Zuletzt geändert: 2021/09/23 16:31 von hse