samba security/size - debian jessie 1.0

Got problems with your B2 or B3? Share and get helped!
Post Reply
pai
Posts: 10
Joined: 19 Sep 2015, 14:12

samba security/size - debian jessie 1.0

Post by pai » 13 Jul 2016, 14:08

hello everyone,

i have some questions about samba in general and security management. i'm sure you can help me out with it, due i wasn't capable finding the answers by googling..

i've managed to configure a samba server to which i get access. i thought it would be a good idea to create a new linux user, where all the samba files are stored, to keep it separate from my personal user account.
the tutorial i worked through gave 777 permission to the samba path, and in order to get access to the samba server, i made that change too.
my server is connected to the internet and therefore i'm not sure if 777 really is a good idea. when i change permission to (e.g. 775 - whatever), i obviously cannot access samba anymore.

- what can i do to keep security level to the max?

another question:
my b3 has a 1TB HDD. besides the OS and some services, there is almost no data installed. when i check the volume size of the samba server it is 10,43 GB in total and only 8,35 GB free of data. how can i get more storage? is the size limited to the linux user i created for samba, or is samba limiting the size?

thank you in advance for your help.
pai
:)

pai
Posts: 10
Joined: 19 Sep 2015, 14:12

Re: samba security/size - debian jessie 1.0

Post by pai » 14 Jul 2016, 01:59

pai wrote:when i check the volume size of the samba server it is 10,43 GB in total and only 8,35 GB free of data. how can i get more storage? is the size limited to the linux user i created for samba, or is samba limiting the size?
think i've found the answer in debian jessie image 1.0 topic:
wipe mode: in this mode the script will wipe the disk and create two partitions : one for the system and one for the swap. The sizes are 10G/1G by defaults and can be customized.
i guess i need to change the install.ini and wipe again? :?

Gordon
Posts: 1315
Joined: 10 Aug 2011, 03:18

Re: samba security/size - debian jessie 1.0

Post by Gordon » 14 Jul 2016, 02:17

Don't know what tutorial you followed, but it seems to me that you created something of a public NAS that does not require a login ("guest ok"). If you really need this, you can add directives "force user" and "force group" to the samba share and everything that is written to that share will be owned by that user and/or group.

The usual way for allowing users access through samba is by adding a password for a regular user with smbpasswd. Default configuration of samba would normally contain something like this:

Code: Select all

[homes]
   create mask=0700
   directory mask=0700
   read only=no
   browseable=no
   comment=Home Directories
   valid users = %S
Which will allow the user to see and access his own home directory (and not those of others) with read/write access.

The disk limit or quota also does not seem normal to me. My guess would be that your share points to some pseudo file system.

pai
Posts: 10
Joined: 19 Sep 2015, 14:12

Re: samba security/size - debian jessie 1.0

Post by pai » 14 Jul 2016, 03:27

hey gordon,

thank you for your answer. i followed a german tutorial and it suggested:
chmod 777 /media/storage
as you know, i've created a new linux user, so i changed the user's homefolder permission to 777.

smb.conf looks like this:

Code: Select all

[global]
workgroup = b3 server
share modes = yes
security = user
map to guest = Bad Password
encrypt passwords = yes
guest account = nobody
include = /etc/samba/smbshared.conf
writeable = yes
as you see there is a smbshared.conf included. it looks like that:

Code: Select all

[b3]
comment = b3 data server
path = /home/samba/
browsable = yes
available = yes
read only = no
public = no
writeable = yes
valid users = anchorman
german tutorial:
https://www.thomas-krenn.com/de/wiki/Ei ... ter_Debian

youtube (eng):
https://www.youtube.com/watch?v=dm0_9N3dY90

thank you so far!

MouettE
Site admin
Posts: 248
Joined: 06 Oct 2011, 19:45

Re: samba security/size - debian jessie 1.0

Post by MouettE » 14 Jul 2016, 09:18

pai wrote: i guess i need to change the install.ini and wipe again? :?
You have a couple of choices. The easiest one would be to create a very big partition on the remaining part of your disk, format and mount it somewhere in your system so you'll be able to use it. You could also reinstall the OS and set a larger size for the system partition in the install.ini file. Or you could, from the rescue system, remove the swap, enlarge the system partition while letting enough space to re-create the swap partition. That's complicated though. Your best bet is still the 1st option.

pai
Posts: 10
Joined: 19 Sep 2015, 14:12

Re: samba security/size - debian jessie 1.0

Post by pai » 14 Jul 2016, 10:42

thank you MouettE, option 1 worked very well!
how would you setup the nas server in my case?

Stryker
Posts: 55
Joined: 17 Oct 2013, 11:03

Re: samba security/size - debian jessie 1.0

Post by Stryker » 16 Jul 2016, 06:37

NAS Server? Do you mean Samba?

I have a somewhat public share, that can be accessed by anyone who has a (Linux-)user-account and password on my device AND is a member of the sambashare group (valid users @sambashare).
The share's folder itself is owned by the sambashare group and I also set the forcegroup option to force newly created files into group ownership.

The data-partition (sda3) is mounted at /srv, since that folder is mostly empty in debian and the filesystem-hierarchy-standard declares it to be used for services provided by the system.
You can create a folder called /srv/samba and then a seperate folder for each share you plan to offer:
/srv/samba/<share1>/ etc.
Don't forget to set (Group-)ownership correctly.

pai
Posts: 10
Joined: 19 Sep 2015, 14:12

Re: samba security/size - debian jessie 1.0

Post by pai » 26 Jul 2016, 08:10

Stryker wrote:NAS Server? Do you mean Samba?
Yes, i meant Samba :)
Stryker wrote:I have a somewhat public share, that can be accessed by anyone who has a (Linux-)user-account and password on my device AND is a member of the sambashare group (valid users @sambashare).
The share's folder itself is owned by the sambashare group and I also set the forcegroup option to force newly created files into group ownership.
Ok, i'll try to make a similar configuration.
Stryker wrote:The data-partition (sda3) is mounted at /srv, since that folder is mostly empty in debian and the filesystem-hierarchy-standard declares it to be used for services provided by the system.
You can create a folder called /srv/samba and then a seperate folder for each share you plan to offer:
/srv/samba/<share1>/ etc.
Don't forget to set (Group-)ownership correctly.
i'll also try that!

Thank you Stryker for helping me out! You guys are very helpful!

Gordon
Posts: 1315
Joined: 10 Aug 2011, 03:18

Re: samba security/size - debian jessie 1.0

Post by Gordon » 26 Jul 2016, 16:35

Stryker wrote:The data-partition (sda3) is mounted at /srv, since that folder is mostly empty in debian and the filesystem-hierarchy-standard declares it to be used for services provided by the system.
You can create a folder called /srv/samba and then a seperate folder for each share you plan to offer:
/srv/samba/<share1>/ etc.
Don't forget to set (Group-)ownership correctly.
Yes, that does make sense. However, if you mount your data partition sda3 to /srv that will put /home on your root partition. Unless you don't allow your users to store any private data, that will put you at risk of users filling up your root partition and consequently crash your machine. Excito placing the common share 'storage' in /home may not have been the neatest thing from an administrator's point of view, but it is a good solution that fits the scope of this machine. Don't overcomplicate - or get yourself a (couple of) Blade server and a huge SAN.

Stryker
Posts: 55
Joined: 17 Oct 2013, 11:03

Re: samba security/size - debian jessie 1.0

Post by Stryker » 28 Jul 2016, 06:37

I am aware that /home is now on the root partition which is possibly quite small.
But since the B3 is a headless device, I figured that each user's home-directory will hardly ever be used for storage.
You can set a different path for samba's [homes]-share so that it too can be stored at /srv/samba/homes/<name>
Mounting sda3 at /home and placing everything there is an easier solution, but I felt unsatisfied with it.

My HP Microserver Gen8 uses a 32GB sdcard as root and a 2TB harddisk with LUKS-encryption for storage, mounted at /home.
This lead to the problem that I had to copy my ssh-public-key to /home/<name>/.ssh/ on both sdcard-home and disk-home so I could ssh whether or not the disk was mounted (I have to enter the passphrase manually).

Post Reply