Originally written for my Linux Installs. If anyone sees a BSD specific differences that I did not catch then post for me to correct.
I keep this How to of mine as a Template to get my Network up quickly and have posted it on the Debian forums as well as others. I hope it is useful to some. Simple, imperfect but it works.
** Disclaimer ** The Below Quick Samba Set will work but it is just that quick and easy and not aimed to be Corporate Secure. If you are in a Volitile environment use at your own risk**
However you can learn from the settings..
I have been using SAMBA in Win networks since the 1990s and have had good luck with it's connectivity features. I can help you here. SAMBA becomes progressively more difficult to Administrate as you progressively make it more Secure. PAM passwords, winbind and Active Win Directories will do that.
In a friendly environment you can eliminate the above. I am able to in most circumstances. However it will be necessary for testing in a new setup to go Open without security just for Testing. Then you can immediately if you are required to harden you SAMBA install with One or more Security features.
Later versions of Thunar should automatically see networks.If Thunar 1.2.xx version is used and this will see networks.Of course Dolphin file manager with KDE works well with Samba and networks. The url conventions would be
|
Code:
|
smb://ServerName/SharedDirectory |
Winbind: In most simple circumstances and networks you won't need winbind.
Here is a reminder I keep to Remember Winbind needs...
Winbind is ideal for admins who wish to add workstations or servers to an existing Windows domain
You should also use winbind when you have hosts that are not members of the domain accessing a Samba or Windows domain.
what winbind does:
Authenticates users
Manages passwords
Allows users to use Windows domain resources as though they were native resources
User and group ID allocation
I do not aim here to show you the SAMBA port/pkg install because I believe that PCBSD has that installed by default.
You can check these directories
/usr/local/bin/testprns
/usr/local/bin/smbcquotas
/usr/local/bin/smbcacls
/usr/local/bin/wbinfo
/usr/local/bin/smbtree
/usr/local/bin/smbspool
/usr/local/bin/smbpasswd
/usr/local/bin/testparm
/usr/local/bin/smbcontrol
/usr/local/bin/ntlm_auth
/usr/local/bin/net
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
as root
|
Code:
|
/usr/local/etc/rc.d/samba.sh |
How I would initially set up a SAMBA user Network..(to be hardened later)
..Get it working first. Secure it second..Makes Debugging Easier.
This is not the minimum install but a useful one.
EDIT: Jul 20,2012 Keep in mind this Protocol is about Sharing...
..........So, sharing indicates cooperation. There must be Files, Directories and hopefully Printers set to Share on at least the Windows Side and as I do on both the Windows and BSD sides of this Protocol.
IF Not then nothing happens. So, see to setting Shares first. via the items
Properties on both Win and BSD systems ****
Load in the smb.conf to edit with your editor of choice
|
Code:
|
kdesu kate /usr/local/etc/smb.conf |
Some Defaults I have set which should generically work.
The workgroup below is a common Windows default but check your own
Remember these are generic and not aimed toward Security but Testing and Immediate Use. A quick and easy way to get a Samba Network connection up and running.
So look for the lines below and modify similar to my examples..
workgroup = WORKGROUP
server string = %h server
#wins support = no
include = /etc/samba/dhcp.conf
dns proxy = no
netbios name = bobs1501
name resolve order = lmhosts host wins bcast
and set interfaces to lo and your local network interface. In my case: eth0.
interfaces = lo eth0 wlan0
bind interfaces only = true
A bit more secure alternative would be to your particular interfaces
interfaces = 192.168.0/200 192.168.1/200 192.168.2/200 127.0.0.0/8 eth0
Now, it is time to smooth out samba default security by changing the security variable: security and make sure it is set to share instead of user and that guest account is enabled:
security = share
...
...
guest account = nobody
Now, we can create a share to be accessible to guest users:
Mine refers to a dir I have called Public
You can place in the /home dir but more secure would be outside that dir.
This is a Public share so read write to all if you choose.
*******Share Definitions************
[Public]
comment = Guest access share
path = /home/sqlpython/Public
browseable = yes
read only = yes
guest ok = yes
In the Section regarding
####### Authentication #######
I put a # in front of anything that would give a password or an encryption.
You can revisit this area later once you decide if/what you want for a password but for now just get it working.
########## Printing ##########
load printers = yes
# cupsys-client package.
printing = cups
printcap name = cups
You can now test that your configuration is good using testparm:
$ testparm
If everything is fine, it is time to reload samba service to have your new configuration taken into account:
sudo /etc/init.d/samba reload
or
sudo /etc/init.d/samba restart
**********PRINTING*********
most of the files come with Squeeze
I think I only installed the very useful Gnome system-config-printers
.
With the system-config-printer you can Add and Modify printers.
All network printers added will be SAMBA like this example..
smb://Host_Computer_To_Access/hpLaser1302
All Should work fine now with Networking, SAMBA networking and Samba Printing ..
Now read the Samba.org Wiki regarding the Security flavor of you choice.
EDIT: Jul 20 2012 *Security*
For Good reasons there are some Networks and Users that will make much of Security.
I say that Securing SAMBA SMB is the last protocol to worry about in a Secure System. Security should be handled at earlier stages at the FireWall. If a User has been allowed or cracked onto your side of the Firewall then SAMBA security is too little too late. So be SAMBA involved or not ...Too Late, don't blame SAMBA.
Instead to secure your BSD network look to Router Hardware FireWalls, Hardened Passwords (simple but effective), PAM, IPchaining and for Wifi MacAddressing etc. Working with a Win Network you may also be faced with Active Directory Protocol which is pretty secure. ADP will bring into play ssh, kerberos, nsswitch, PAM and a number of smb.conf Security modifications. Security protocols are out there to satisfy Governments and Corporate Institutions. They know and choose to take the risks presented as a trade-off for Speed and Storage capacities of that information......However read on...
Remember, Electronic media is not the first means that comes to mind for Securing Sensitive Data. It is probably the Last. What ever is on a Shared or Non Shared file tree is Much less safe then on your Bedroom Night Stand. So, know the risks if you choose to store on you computer Passwords to where ever, ID/Social Security type numbers, Bank Acct numbers, personal Pictures,, Writings and other family information that could lead to Identity Theft. We probably all leave some sensitive data on our systems. (Sensitive to a Lesser or Greater degree.) However if that data is hacked we must also shoulder the responsibility....*******
Samba: Quick How To
Linear Mode
