Table of Contents
The goal of this example is to set up a file share accessible to a number of different users. The users will need to authenticate with their password before access to this share is granted. We will first create three randomly named users, each with their own password. First we add these users to Linux.
[root@RHEL52 ~]# useradd -c "Serena Williams" serena [root@RHEL52 ~]# useradd -c "Justine Henin" justine [root@RHEL52 ~]# useradd -c "Martina Hingis" martina [root@RHEL52 ~]# passwd serena Changing password for user serena. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [root@RHEL52 ~]# passwd justine Changing password for user justine. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [root@RHEL52 ~]# passwd martina Changing password for user martina. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
Then we add them to the smbpasswd file, with the same password.
[root@RHEL52 ~]# smbpasswd -a serena New SMB password: Retype new SMB password: Added user serena. [root@RHEL52 ~]# smbpasswd -a justine New SMB password: Retype new SMB password: Added user justine. [root@RHEL52 ~]# smbpasswd -a martina New SMB password: Retype new SMB password: Added user martina.
Remember that we set samba's security mode to share with the security = share directive in the [global] section ? Since we now require users to always provide a userid and password for access to our samba server, we will need to change this. Setting security = user will require the client to provide samba with a valid userid and password before giving access to a share.
Our [global] section now looks like this.
[global] workgroup = WORKGROUP netbios name = TEACHER0 server string = Samba File Server security = user
We add the following [share] section to our smb.conf (and we do not forget to create the directory /srv/samba/authwrite).
[authwrite] path = /srv/samba/authwrite comment = authenticated users only read only = no guest ok = no
After restarting samba, we test with different users from within Microsoft computers. The screenshots use the net useFirst serena from Windows XP.
C:\>net use m: \\teacher0\authwrite stargate /user:serena The command completed successfully. C:\>m: M:\>echo greetings from Serena > serena.txt
The next screenshot is martina on a Windows 2000 computer, she succeeds in writing her files, but fails to overwrite the file from serena.
C:\>net use k: \\teacher0\authwrite stargate /user:martina The command completed successfully. C:\>k: K:\>echo greetings from martina > Martina.txt K:\>echo test overwrite > serena.txt Access is denied.
You can also test connecting with authentication with smbclient. First we test with a wrong password.
[root@RHEL52 samba]# smbclient //teacher0/authwrite -U martina wrongpass session setup failed: NT_STATUS_LOGON_FAILURE
Then we test with the correct password, and verify that we can access a file on the share.
[root@RHEL52 samba]# smbclient //teacher0/authwrite -U martina stargate Domain=[TEACHER0] OS=[Unix] Server=[Samba 3.0.33-3.7.el5] smb: \> more serena.txt getting file \serena.txt of size 14 as /tmp/smbmore.QQfmSN (6.8 kb/s) one two three smb: \> q
We now have a simple standalone samba file server with authenticated access. And the files in the shares belong to their proper owners.
[root@RHEL52 samba]# ls -l /srv/samba/authwrite/ total 8 -rwxr--r-- 1 martina martina 0 Jan 21 20:06 martina.txt -rwxr--r-- 1 serena serena 14 Jan 21 20:06 serena.txt -rwxr--r-- 1 serena serena 6 Jan 21 20:09 ser.txt
You can get NT_STATUS_BAD_NETWORK_NAME when you forget to create the target directory.
[root@RHEL52 samba]# rm -rf /srv/samba/authwrite/ [root@RHEL52 samba]# smbclient //teacher0/authwrite -U martina stargate Domain=[TEACHER0] OS=[Unix] Server=[Samba 3.0.33-3.7.el5] tree connect failed: NT_STATUS_BAD_NETWORK_NAME
You can get NT_STATUS_LOGON_FAILURE when you type the wrong password or when you type an unexisting username.
[root@RHEL52 samba]# smbclient //teacher0/authwrite -U martina STARGATE session setup failed: NT_STATUS_LOGON_FAILURE
Remember that usernames om Linux are case sensitive.
[root@RHEL52 samba]# su - MARTINA su: user MARTINA does not exist [root@RHEL52 samba]# su - martina [martina@RHEL52 ~]$
But usernames on Microsoft computers are not case sensitive.
[root@RHEL52 samba]# smbclient //teacher0/authwrite -U martina stargate Domain=[TEACHER0] OS=[Unix] Server=[Samba 3.0.33-3.7.el5] smb: \> q [root@RHEL52 samba]# smbclient //teacher0/authwrite -U MARTINA stargate Domain=[TEACHER0] OS=[Unix] Server=[Samba 3.0.33-3.7.el5] smb: \> q
0. Make sure you have properly named backups of your smb.conf of the previous practices.
1. Create three users (on the Linux and on the samba), remember their passwords!
2. Set up a shared directory that is only accessible to authenticated users.
3. Use smbclient and a windows computer to access your share, use more than one user account (windows requires a logoff/logon for this).
4. Verify that files created by these users belong to them.
5. Try to change or delete a file from another user.
1. Create three users (on the Linux and on the samba), remember their passwords!
useradd -c 'SMB user1' userx
passwd userx
2. Set up a shared directory that is only accessible to authenticated users.
The shared section in smb.conf could look like this:
[authwrite] path = /srv/samba/authwrite comment = authenticated users only read only = no guest ok = no
3. Use smbclient and a windows computer to access your share, use more than one user account (windows requires a logoff/logon for this).
on Linux: smbclient //studentX/authwrite -U user1 password
on windows net use p: \\studentX\authwrite password /user:user2
4. Verify that files created by these users belong to them.
ls -l /srv/samba/authwrite
5. Try to change or delete a file from another user.
you should not be able to change or overwrite files from others.