Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Setting Up a File Share Distribution Point on Linux Using Samba

Overview

Samba can be used to host a file share distribution point with an SMB share on a Linux server. The distribution point can then be added to the JSS and used with the Casper Suite.

The procedure below has been tested on Ubuntu. It may vary depending on your specific Linux operating system.

Procedure

  1. Install the Samba service according to the instructions for your specific Linux operating system. On Ubuntu, execute the following command:
    sudo apt-get install samba
  2. Add the accounts to be used by executing commands similar to the following:
    sudo useradd -d /home/casperadmin casperadmin -s /bin/false -N
    sudo useradd -d /home/casperinstall casperinstall -s /bin/false -N
  3. Set passwords for the accounts by executing commands similar to the following:
    sudo smbpasswd -a casperadmin
    sudo smbpasswd -a casperinstall
  4. Create the sharepoint folder and assign the appropriate privileges by executing commands similar to the following:
    sudo mkdir -p /srv/samba/CasperShare
    sudo chown casperadmin /srv/samba/CasperShare/
    sudo chmod 755 /srv/samba/CasperShare/
  5. Open the /etc/samba/smb.conf file and configure it for the distribution point by inserting something similar to the following in the Share Definitions section of the file:
    [CasperShare]
    comment = CasperShare
    path = /srv/samba/CasperShare
    browseable = no
    guest ok = no
    read only = yes
    create mask = 0755
    read list = casperinstall
    write list = casperadmin
    valid users = casperadmin, casperinstall
  6. Restart the SMB service by executing a command similar to the following:
    sudo service smbd restart
  7. Add the distribution point to the JSS. For more information, see "Managing Distribution Points" in your product documentation.

Additional Information

If there are errors when trying to mount the share, it is possible that SELinux is enabled on the machine and may be denying access to the share. Check the SELinux status by executing the following command:

sestatus

If SELinux is enabled, you will see "Current mode: enforcing".

There are two ways to solve this:

  • Disable SELinux by executing the following command:
    setenforce 0
  • Add a label to the share folder to allow Samba to access it by executing a command similar to the following:
    chcon -t samba_share_t /path/to/share

For information on managing file share distribution points in the JSS, see the Casper Suite Administrator's Guide.

Like Comment
Order by:
SOLVED Posted: by donparfet

Followed instructions here to add an SMB share to our RHEL server that hosts both JSS and JDS, and its working pretty well. The only thing I might add is naming the SMB share "CasperShare" caused confusion with the http JDS master instance that was aliased as "CasperShare". I renamed the SMB share to "CasperShareSMB" which seems to have resolved connection errors stating that 'CasperShare' was not accessible.

Like
SOLVED Posted: by shakim

I'm attempting to setup this configuration too.. So just to clarify, I'm on RHEL and installed SAMBA. It's default smb.conf file has alot of entries in it. Do i need it ?
here is a snip of my conf file:

======================= Global Settings =====================================

[global]

----------------------- Network Related Options -------------------------

workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH

server string is the equivalent of the NT Description field

netbios name can be used to specify a server name not tied to the hostname

Interfaces lets you configure Samba to use multiple interfaces

If you have multiple network interfaces then you can list the ones

you want to listen on (never omit localhost)

Hosts Allow/Hosts Deny lets you restrict who can connect, and you can

specifiy it as a per share option as well

workgroup = MYGROUP server string = Samba Server Version %v

; netbios name = MYSERVER

; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.

--------------------------- Logging Options -----------------------------

Log File let you specify where to put logs and how to split them up.

Max Log Size let you specify the max size log files should reach

# logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50

----------------------- Standalone Server Options ------------------------

Scurity can be set to user, share(deprecated) or server(deprecated)

Backend to store user information in. New installations should

use either tdbsam or ldapsam. smbpasswd is available for backwards

compatibility. tdbsam requires no further configuration.

security = user passdb backend = tdbsam

----------------------- Domain Members Options ------------------------

Security must be set to domain or ads

Use the realm option only with security = ads

Specifies the Active Directory realm the host is part of

Backend to store user information in. New installations should

use either tdbsam or ldapsam. smbpasswd is available for backwards

compatibility. tdbsam requires no further configuration.

Use password server option only with security = server or if you can't

use the DNS to locate Domain Controllers

The argument list may include:

password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]

or to auto-locate the domain controller/s

password server = *

; security = domain
; passdb backend = tdbsam
; realm = MY_REALM

; password server = <NT-Server-Name>

----------------------- Domain Controller Options ------------------------

Security must be set to user for domain controllers

Backend to store user information in. New installations should

use either tdbsam or ldapsam. smbpasswd is available for backwards

compatibility. tdbsam requires no further configuration.

Domain Master specifies Samba to be the Domain Master Browser. This

allows Samba to collate browse lists between subnets. Don't use this

if you already have a Windows NT domain controller doing this job

Domain Logons let Samba be a domain logon server for Windows workstations.

Logon Scrpit let yuou specify a script to be run at login time on the client

You need to provide it in a share called NETLOGON

Logon Path let you specify where user profiles are stored (UNC path)

Various scripts can be used on a domain controller or stand-alone

machine to add or delete corresponding unix accounts

; security = user
; passdb backend = tdbsam

; domain master = yes
; domain logons = yes

# the login script name depends on the machine name
; logon script = %m.bat # the login script name depends on the unix user used
; logon script = %u.bat
; logon path = \%L\Profiles\%u # disables profiles support by specifing an empty path
; logon path =

; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"

----------------------- Browser Control Options ----------------------------

set local master to no if you don't want Samba to become a master

browser on your network. Otherwise the normal election rules apply

OS Level determines the precedence of this server in master browser

elections. The default value should be reasonable

Preferred Master causes Samba to force a local browser election on startup

and gives it a slightly higher chance of winning the election

; local master = no
; os level = 33
; preferred master = yes

----------------------------- Name Resolution -------------------------------

Windows Internet Name Serving Support Section:

Note: Samba can be either a WINS Server, or a WINS Client, but NOT both

- WINS Support: Tells the NMBD component of Samba to enable it's WINS Server

- WINS Server: Tells the NMBD components of Samba to be a WINS Client

- WINS Proxy: Tells Samba to answer name resolution queries on

behalf of a non WINS capable client, for this to work there must be

at least one WINS Server on the network. The default is NO.

DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names

via DNS nslookups.

; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes

; dns proxy = yes

--------------------------- Printing Options -----------------------------

Load Printers let you load automatically the list of printers rather

than setting them up individually

Cups Options let you pass the cups libs custom options, setting it to raw

for example will let you use drivers on your Windows clients

Printcap Name let you specify an alternative printcap file

You can choose a non default printing system using the Printing option

load printers = yes cups options = raw

; printcap name = /etc/printcap #obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups

--------------------------- Filesystem Options ---------------------------

The following options can be uncommented if the filesystem supports

Extended Attributes and they are enabled (usually by the mount option

user_xattr). Thess options will let the admin store the DOS attributes

in an EA and make samba not mess with the permission bits.

Note: these options can also be set just per share, setting them in global

makes them the default for all shares

; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes

============================ Share Definitions ==============================

[homes] comment = Home Directories browseable = no writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S

[printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes

Un-comment the following and create the netlogon directory for Domain Logons

; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no

Un-comment the following to provide a specific roving profile share

the default is to use the user's home directory

; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes

A publicly accessible directory, but read only, except for people in

the "staff" group

; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = +staff

Directory used for Caspershare.

[caspershare]
comment = caspershare
path = /usr/local/caspershare
browseable = no
guest ok = no
read only = yes
create mask = 0755
read list = myjss_users
write list = myjss_users
valid users = myjss_users

Like
SOLVED Posted: by dvasquez

Yes from my experience you leave it mostly intact and edit the "Directory used for"

I always make a backup of files just in case.

Like
SOLVED Posted: by donmontalvo

Hmm...we're using RHEL and never had to use "valid users".

[CasperShare]
    comment = CasperShare
    path = /srv/samba/CasperShare
    browseable = no
    guest ok = no
    read only = yes
    create mask = 0755
    read list = casperinstall
    write list = casperadmin

Also for RHEL the service is smb (not smbd).

sudo service smb restart

HTH,
Don

Like
SOLVED Posted: by endor-moon

My smb.conf (at the bottom) looks like this:

[casper]
comment = casper
path = /srv/casper
browseable = yes
writeable = yes
guest ok = no
create mask = 0755
read list = casperinstall, myusername
write list = casperadmin, myusername
valid users = casperadmin, casperinstall

This allows user "myusername" to get on the share outside of Casper and read/copy files. I'm running Ubuntu 16.04 LTS. I'm not sure if I should add "myusername" to the valid users list but it seems to work without it.

Like
SOLVED Posted: by johnklimeck

Ok,

after some time, I have this working, this meaning I am finally able to successfully mount the "CasperShare" volume from macOS in "connect to server", on this Linux server (vmware) / CentOS (although moving to RedHat for prod).

And I am able to drag / download a 2 GB file in under a minute.

The Linux vm is on fast hardware, with a Gig E connection....

Now the real issue is in Self Service, it is slow and never gets to "Installing" in Self Service, using "use HTTP downloads"

As you are probably well aware, there is still as of yet, no easy way to "Enable / Disable" a File Share / DP in the JSS, short of inputting in "incorrect" server name or IP address, thus making the DP unreachable.

I am then making the this PROD DP (a Mac Mini, macOS 10.12.3), failover to this new Linux server / DP.

Downloading Adobe After Effects (2 GB) pkg, and as with HTTP you will see Downloading, then Installing.

Never gets to Installing.... Any ideas on what is going on?

Thx in advance....

john k

Like
SOLVED Posted: by krispayne

@johnklimeck a few things:

  • what do the policy logs say (on the jss) for that machine that tried to download?
  • does your package filename have spaces?
  • how did you package the adobe product? lots of people have been having issues lately with adobe stuff failing.
Like
SOLVED Posted: by donmontalvo

@johnklimeck

And I am able to drag / download a 2 GB file in under a minute.

Would also verify that HTTP download is working http://server.domain.com/CasperShare/Pacakges/pacakge.pkg.zip.

Maybe post screenshots of the configuration tabs for the DP in JSS? And maybe tail -f /var/log/jamf.log during the policy run.

Like
SOLVED Posted: by heiden

Fwiw, I used a slightly different approach to the SELinux setting. I wanted to also have HTTP downloads available from my file distro point, which means there are multiple SELinux domains in play. I followed the Fedora Project documentation at fedora project/org/wiki/SELinux/samba, specifically the part in the "Sharing Files" section. So instead of the suggested "chcon -t samba_share_t /path/to/share" I used "chcon -t public_content_rw_t /path/to/share" along with the additional command of "setsebool -P allow_smbd_anon_write=1". This allows Casper Admin to function correctly, allows Apache to read the installer packages, and if I need to I can connect to the SMB share (not that I would really need to do so). The server in question is RHEL 7 since where I work has a license for RHEL Enterprise. I assume this would work on Ubuntu, I'd be surprised if it didn't.

Like
SOLVED Posted: by kerouak

We can't seem to get this to function, here's our conf file..

Can anyone see any issues??

; [homes]
; comment = Home Directories
; browseable = no
; writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S

[casper] path = /CasperShare comment = Casper Share
; browseable = no browseable = yes writable = yes valid users = casperinstall, casperadmin
; valid users = MYDOMAIN\%S
; [printers]
; comment = All Printers
; path = /var/spool/samba
; browseable = no
; guest ok = no
; writable = no
; ; printable = yes

Un-comment the following and create the netlogon directory for Domain Logons

; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no

Un-comment the following to provide a specific roving profile share

the default is to use the user's home directory

; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes

A publicly accessible directory, but read only, except for people in

the "staff" group

; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = +staff

THANKS

Like
SOLVED Posted: by kneitzel

Hi kerouak,

could you provide the config file in a readable format? Not sure if it is just the formating of the forum or problems with the config file. When posting code, just use the [>_] button on top of the edit window and replace the "#!/bin/sh" with your config file.

Important:
a) Be sure to keep line breaks where required!
b) Uncomment lines in which you want to set something.

So you have paragraphs which are put into [...]
Then you have settings inside a paragraph with key = value

So make sure that these are on their own lines:

[casper]
path = /CasperShare
comment = Casper Share
; browseable = no
browseable = yes
writable = yes
valid users = casperinstall, casperadmin
; valid users = MYDOMAIN\%S

Maybe it was just the formating of the forum but that is what is important in your config file.

And could you describe what is not working? What error do you get when you try to map the drive? That might help to localize the problem.

With kind regards,

Konrad

Like
SOLVED Posted: by kerouak

I can't browse the share at all.
Can't connect via JSS

>_

============================ Share Definitions ==============================

; [homes]
; comment = Home Directories
; browseable = no
; writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S

[casper] path = /CasperShare comment = Casper Share
; browseable = no browseable = yes writable = yes valid users = casperinstall, casperadmin
; valid users = MYDOMAIN\%S
; [printers]
; comment = All Printers
; path = /var/spool/samba
; browseable = no
; guest ok = no
; writable = no
; ; printable = yes

Un-comment the following and create the netlogon directory for Domain Logons

; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no

Un-comment the following to provide a specific roving profile share

the default is to use the user's home directory

; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes

A publicly accessible directory, but read only, except for people in

the "staff" group

; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = +staff

Like
SOLVED Posted: by kerouak

it's EXACTLY like this .

[casper]
path = /CasperShare
comment = Casper Share
; browseable = no
browseable = yes
writable = yes
valid users = casperinstall, casperadmin
; valid users = MYDOMAIN\%S

Like
SOLVED Posted: by sdagley

If you're on a RHEL system you'll probably want to do a sudo /sbin/chkconfig --levels 345 smb on if you want the smb service to come back up after a reboot as it doesn't by default (at least in my RHEL 6 & 7 environments). I'm not sure if something similar is necessary on Ubuntu or not.

Like
SOLVED Posted: by sdagley

@heiden I'm also using RHEL 7 for a DP and want https and smb support, so I'm using the chcon -R -t public_content_rw_t /path/to/share and setsebool -P allow_smbd_anon_write=1 commands so they'll coexist. What I've discovered however is that Jamf Admin can't delete anything from the DP, and if I mount the smb share with the Read/Write account and attempt to delete a file the Finder reports "The operation can’t be completed because you don’t have permission to access some of the items.". Did you run into this problem, and if so what solution did you find?

Like