Announcement

Collapse
No announcement yet.

Is Samba Compatible with ssh on Ubuntu Server 16.04.3 LTS ?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Is Samba Compatible with ssh on Ubuntu Server 16.04.3 LTS ?

    I have an Ubuntu Server 16.04.3 configured with ssh and want to use it as a NAS. I login to to the server from my Kubuntu computer, on the same network.

    I have 3x 2TB drives configured with the btrfs. Metadata is raid1 and data is raid 5. This pool is mounted using the btrfs UUID to /media/nas. I created 3 folders on this pool: Mark, Jean, Carol, and Share. The 3 "named" directories need to be private directories -- 1 for each user by the same name. The "Share" directory needs to be shared by all 3 users.

    I installed Samba on the server, added a samba password to my account, tweaked the smb config file (below) as little as possible with a guide I found online.

    I'm still not able to see the folders I created on my Kubuntu computer. I do see "Family NAS" and that's it. When I try to open it, I'm continuously prompted for my user name and password. I think the problem is ssh. Can samba login to a server using ssh? I assume the necessary changes would have to be in the smb config file or is samba not compatible with ssh?

    Code:
    mark@Ubuntu-Server:/etc/samba$ cat smb.conf
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
  workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
       server string = %h server (Samba, Ubuntu)

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
#   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
  dns proxy = no

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
  log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
  max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
  syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
  panic action = /usr/share/samba/panic-action %d

####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
  server role = standalone server

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
  passdb backend = tdbsam

  obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
  unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
  pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
  map to guest = bad user

########## Domains ###########

#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set 
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.
;   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
#   usershare allow guests = yes

#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
;[homes]
;   comment = Home Directories
;   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
;   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
;   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
;   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# Un-comment the following parameter to make sure that only "username"
# can connect to \\server\username
# This might need tweaking when using external authentication schemes
;   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

;[printers]
;   comment = All Printers
;   browseable = no
;   path = /var/spool/samba
;   printable = yes
;   guest ok = no
;   read only = yes
;   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
;[print$]
;   comment = Printer Drivers
;   path = /var/lib/samba/printers
;   browseable = yes
;   read only = yes
;   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
;   write list = root, @lpadmin

[FamilyNAS]

comment = Private Folder
path = /media/nas/Mark
writable = yes
valid users = mark

comment = Public Folder
path = /media/nas/Share
writable = yes
valid users = mark jean carol
    "If you're in a room with another person who sees the world exactly as you do, one of you is redundant." Dr. Steven Covey, The 7-Habits of Highly Effective People
    Tags: None
    • Top
    • Bottom
    #2
    No, the problem is not having ssh. That is separate from Samba. I don't know what changes to your config are needed to get samba to work, but when I had a working PC, it ran both with samba and with an ssh server with no issues.
    Often many of the 123348876389 howtos are incomplete, outdated, or just don't work, and I count the Ubuntu wiki articles in this as well. Look for one that is recent as possible, and make sure you have user accounts and samba passwords set up on the sever, and that the permissions are correct for read/write access. Been a while since I messed with this, but I am sure someone who is using it now will chime in soon enough
    • Top
    • Bottom

    Comment

      #3
      As Clay said, ssh and SAMBA are not related to each other at all (unless you're trying something complicated like SAMBA through an ssh tunnel). The problem connecting could be server configuration or client issues. Start by seeing if you server is configured properly. Try this to start:

      nmblookup -S WORKGROUP

      Please Read Me
      • Top
      • Bottom

      Comment

        #4
        Also, look at /etc/nsswitch.conf on your server. Make sure you see this line:

        hosts: files wins dns

        Please Read Me
        • Top
        • Bottom

        Comment

          #5
          Thank you all. Here's the outputs:

          Code:
          mark@Ubuntu-Server:~$ nmblookup -S WORKGROUP
192.168.1.101 WORKGROUP<00>
Looking up status of 192.168.1.101
       UBUNTU-SERVER   <00> -         B <ACTIVE> 
       UBUNTU-SERVER   <03> -         B <ACTIVE> 
       UBUNTU-SERVER   <20> -         B <ACTIVE> 
       ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> 
       WORKGROUP       <00> - <GROUP> B <ACTIVE> 
       WORKGROUP       <1d> -         B <ACTIVE> 
       WORKGROUP       <1e> - <GROUP> B <ACTIVE> 

       MAC Address = 00-00-00-00-00-00

192.168.1.65 WORKGROUP<00>
Looking up status of 192.168.1.65
       EPSON1FF3CF     <00> -         B <ACTIVE> <PERMANENT> 
       WORKGROUP       <00> - <GROUP> B <ACTIVE> <PERMANENT> 
       EPSON1FF3CF     <20> -         B <ACTIVE> <PERMANENT> 

       MAC Address = 00-00-00-00-00-00
          Code:
          mark@Ubuntu-Server:~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
          I understand that Samba and SSH are two distinct programs and now that I've thought about it more, I think I may have a better understanding. I was under the impression that once ssh is setup on the server, ssh is the only way to login to the server. Anyway, if I have other computers (on the same local network, trying to use the server as the NAS it was designed to be, they wouldn't be able to get in without ssh. I think that's incorrect.
          "If you're in a room with another person who sees the world exactly as you do, one of you is redundant." Dr. Steven Covey, The 7-Habits of Highly Effective People
          • Top
          • Bottom

          Comment

            #6
            Originally posted by oshunluvr View Post
            Also, look at /etc/nsswitch.conf on your server. Make sure you see this line:

            hosts: files wins dns

            Start by editing nsswitch.conf

            Please Read Me
            • Top
            • Bottom

            Comment

              #7
              Originally posted by mhumm2 View Post
              I understand that Samba and SSH are two distinct programs and now that I've thought about it more, I think I may have a better understanding. I was under the impression that once ssh is setup on the server, ssh is the only way to login to the server. Anyway, if I have other computers (on the same local network, trying to use the server as the NAS it was designed to be, they wouldn't be able to get in without ssh. I think that's incorrect.
              Each of these services use different ports. "Logging in" remotely means gaining access via a service through a port. SSH is simple and robust and often is your lifeline when another service, like SAMBA, fails.

              As long as a port isn't blocked or in use by another service, you could access your server through all of them (services) at once. I have nfs, ssh, samba, transmission (a torrent server), Nextcloud, Webmin, cups, Plex (media delivery), and apache (web access via a browser) services all running on my server all the time all at once. I can "log in" to all of these simultaneously, though I've never had the need to use them all at once from a single computer, but I regularly use 3-4 of them. I even have my server send my desktop a notification when it requires updates.

              BTW if you're not comfortable with the terminal, I recommend Webmin.
              Last edited by oshunluvr; Aug 19, 2017, 06:59 AM.

              Please Read Me
              • Top
              • Bottom

              Comment

                #8
                oshunluvr, I'm back, finally. Okay, I updated /etc/nsswitch.conf and rebooted the server. I still do not have access to the NAS from my Kubuntu computer using Dolphin.

                I really appreciate the ports explanation you provided. I understand. So to directly login to the server from the terminal, I have to use ssh since it's installed, and running, with the correct keys in the correct folders, etc. For Dolphin to login, it uses a different port that ssh does not "listen" to. In that case a simple username and PW is used to complete the login.

                Thank you for the Webmin suggestion, but I'm going to pass on that. I want to really understand the computer/server connections and I want to be able to set it up from the terminal. I also understand there may be some security concerns with Webmin. I want to be a "dot prompt" user and who knows... one day I may be as smart as you my friend <smile>.

                Here's the servers directory:
                Code:
                mark@Ubuntu-Server:/media$ ll
total 32
drwxr-xr-x  5 root root 4096 Aug  6 11:51 ./
drwxr-xr-x 23 root root 4096 Aug 18 17:43 ../
drwxr-xr-x  2 root root 4096 Jul 27 20:53 cdrom/
drwxr-xr-x  1 root root   36 Aug 11 17:12 nas/
drwxr-xr-x  2 root root 4096 Jul 28 15:35 usb/
                The directory nas is the 5.5TB disk pool created with brtfs. It is mounted in fstab using its UUID for the pool and its mount point is /meda/nas.

                Code:
                ark@Ubuntu-Server:/$ cd /media/nas
mark@Ubuntu-Server:/media/nas$ ll -lh
total 20K
drwxrwxrwx 1 root root   36 Aug 11 17:12 ./
drwxr-xr-x 5 root root 4.0K Aug  6 11:51 ../
drwxrwxrwx 1 root root    0 Aug 11 17:12 Carol/
drwxrwxrwx 1 root root    0 Aug 11 17:12 Jean/
drwxrwxrwx 1 root root    0 Aug 11 17:11 Mark/
drwxrwxrwx 1 root root   44 Aug 27 11:33 Share/
                You'll notice I've set permissions to wide open just to see if I could access any of the directories. Dolphin "sees" "FamilyNAS" on the server which is the heading I used for /media/nas in the smb.conf file. When I'm in the server from Dolphin, I don't see any other directories so I created two of them. Then I went back to the server terminal and searched for the directories I created. I found them in /media/nas/Share. That's when I opened the smb.conf file and discovered that my entries changed from what I typed a few weeks ago. What happened to the [FamilyNAS] entries? Where did this come from:
                Code:
                [share]
 comment = New Share Path
 path = /media/Windoze/Carol
 browseable = yes
 guest ok = yes
 read only = no
 create mask = 0755
                That path does not exist on my Kubuntu computer or the server. Is there another file that edits smb.conf?

                Perhaps it would help if I stated the desired end result:

                Click image for larger version Name: NAS-1.png Views: 1 Size: 43.5 KB ID: 643600

                - There are 3 users each with their own directory on the NAS: Mark, Jean, Carol
                - I want each of these directories accessible only by the specific user named for those directories and root of course. If user Jean tries to open directory Carol, the system will tell her she does not have authorization to open that directory.
                - There is a 4th directory called, "Share" that all users can access.

                * Is it possible for the server to identify the user by the user name and PW they entered on their client computers so they're not prompted again to access the nas?

                That's it for now.
                "If you're in a room with another person who sees the world exactly as you do, one of you is redundant." Dr. Steven Covey, The 7-Habits of Highly Effective People
                • Top
                • Bottom

                Comment

                  #9
                  I'm not a samba expert but there are ton of how-to's out there. Here's a rather current one: https://www.computerbeginnersguides....4-zesty-zapus/

                  For sure yes, you can have user specific and public directories. You have to give each user a samba password on the server and define the individual directories. I don't know how Webmin would be very insecure if you allow it to only be accessed from within your network, but I applaud your desire to learn the old-school way to get things going.

                  My advice; pick one function at a time and research and fiddle until you get it working to your liking, then start on the next.

                  My current smb.conf has these in it:

                  Code:
                  [FONT=monospace][COLOR=#000000][Media][/COLOR]
   comment = Media
   path = /exports
   security = user
   map to guest = Bad User
   force user = nobody
   force group = share
   create mask = 664
   force create mode = 664
   security mask = 664
   force security mode = 664
   directory mask = 6775
   force directory mode = 6775
   directory security mask = 6775
   directory security mode = 6775
   browsable = yes
   guest ok = yes
   read only = no

[Lilys]
   comment = Lilys
   path = /exports/Videos/Lilys
   browsable = yes
   guest ok = yes
   read only = no
[/FONT]
                  The "media" folder is public (from within my home network) and the "Lilys" folder is for my daughter to store her stuff, but it is not private. We don't use samba much because very few computers in our world have windows on them.

                  Please Read Me
                  • Top
                  • Bottom

                  Comment

                    #10
                    oshunluvr, great advice about getting one function to work before moving to the next. I'll take a look at the link you provided.

                    Eventually, I want to be able to access only the Share directory via VPN. I know this will involve port forwarding my router/modem. My concern, besides the port forwarding, is to limit VPN access to only the Share directory. I suppose that's #20 on my list and I'm still on #1 which is getting the folders to behave like I want them to within my local network. Thanks again, I have some reading and tweaking to do.
                    "If you're in a room with another person who sees the world exactly as you do, one of you is redundant." Dr. Steven Covey, The 7-Habits of Highly Effective People
                    • Top
                    • Bottom

                    Comment

                    Previous template Next
                    Working...
                    X