Chapter 21. samba first user account

Table of Contents

creating a samba user
ownership of files
/usr/bin/smbpasswd
/etc/samba/smbpasswd
passdb backend
forcing this user
practice: first samba user account
solution: first samba user account

creating a samba user

We will create a user for our samba file server and make this user the owner of the directory and all of its files. This anonymous user gets a clear description, but does not get a login shell.

[root@RHEL52 samba]# useradd -s /bin/false sambanobody
[root@RHEL52 samba]# usermod -c "Anonymous Samba Access" sambanobody
[root@RHEL52 samba]# passwd sambanobody
Changing password for user sambanobody.
New UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.

ownership of files

We can use this user as owner of files and directories, instead of using the root account. This approach is clear and more secure.

[root@RHEL52 samba]# chown -R sambanobody:sambanobody /srv/samba/
[root@RHEL52 samba]# ls -al /srv/samba/writable/
total 12
drwxrwxrwx 2 sambanobody sambanobody 4096 Jan 21 06:11 .
drwxr-xr-x 6 sambanobody sambanobody 4096 Jan 21 06:11 ..
-rwxr--r-- 1 sambanobody sambanobody    6 Jan 21 06:16 hoi.txt

/usr/bin/smbpasswd

The sambanobody user account that we created in the previous examples is not yet used by samba. It just owns the files and directories that we created for our shares. The goal of this section is to force ownership of files created through the samba share to belong to our sambanobody user. Remember, our server is still accessible to everyone, nobody needs to know this user account or password. We just want a clean Linux server.

To accomplish this, we first have to tell Samba about this user. We can do this by adding the account to smbpasswd.

[root@RHEL52 samba]# smbpasswd -a sambanobody
New SMB password:
Retype new SMB password:
Added user sambanobody.

/etc/samba/smbpasswd

To find out where Samba keeps this information (for now), use smbd -b. The PRIVATE_DIR variable will show you where the smbpasswd database is located.

[root@RHEL52 samba]# smbd -b | grep PRIVATE
   PRIVATE_DIR: /etc/samba
[root@RHEL52 samba]# ls -l smbpasswd 
-rw------- 1 root root 110 Jan 21 06:19 smbpasswd

You can use a simple cat to see the contents of the smbpasswd database. The sambanobody user does have a password (it is secret).

[root@RHEL52 samba]# cat smbpasswd 
sambanobody:503:AE9 ... 9DB309C528E540978:[U          ]:LCT-4976B05B:

passdb backend

Note that recent versions of Samba have tdbsam as default for the passdb backend paramater.

root@ubu1110:~# testparm -v 2>/dev/null| grep 'passdb backend'

	passdb backend = tdbsam

forcing this user

Now that Samba knows about this user, we can adjust our writable share to force the ownership of files created through it. For this we use the force user and force group options. Now we can be sure that all files in the Samba writable share are owned by the same sambanobody user.

Below is the renewed definition of our share in smb.conf.

[pubwrite]
 path = /srv/samba/writable
 comment = files to write
 force user = sambanobody
 force group = sambanobody
 read only = no
 guest ok = yes
	

When you reconnect to the share and write a file, then this sambanobody user will own the newly created file (and nobody needs to know the password).

practice: first samba user account

1. Create a user account for use with samba.

2. Add this user to samba's user database.

3. Create a writable shared directory and use the "force user" and "force group" directives to force ownership of files.

4. Test the working of force user with smbclient, net use and Windows Explorer.

solution: first samba user account

1. Create a user account for use with samba.

useradd -s /bin/false smbguest
usermod -c 'samba guest'
passwd smbguest

2. Add this user to samba's user database.

smbpasswd -a smbguest

3. Create a writable shared directory and use the "force user" and "force group" directives to force ownership of files.

[userwrite]
 path = /srv/samba/userwrite
 comment = everyone writes files owned by smbguest
 read only = no
 guest ok = yes
 force user = smbguest
 force group = smbguest
	

4. Test the working of force user with smbclient, net use and Windows Explorer.

ls -l /srv/samba/userwrite (and verify ownership)