Jamf Nation Community

dmcmillen · ‎06-19-2012

The OS is CentOS 6.2, JSS 8.52 running fine on it.

Here's what I've got so far:

$yum install samba

$sudo useradd -d /home/casperadmin casperadmin -s /bin/false -N
$sudo useradd -d /home/casperinstall casperinstall -s /bin/false -N

$sudo passwd casperadmin
$sudo passwd casperinstall

$sudo smbpasswd -a casperadmin
$sudo smbpasswd -a casperinstall

$sudo mkdir /srv/samba/CasperShare
$sudo chown casperadmin /srv/samba/CasperShare

$ls -al /srv/samba/
drwxr-xr-x. 2 casperadmin root 4096 Jun 19 08:15 CasperShare

Contents of /etc/samba/smb.conf file:

[global] workgroup = MYGROUP security = user passdb backend = tdbsam

[CasperShare] comment = CasperShare path = /srv/samba/CasperShare browseable = yes guest ok = no read only = no create mask = 0755 read list = casperinstall write list = casperadmin

Result:

Both casperadmin and casperinstall can mount and read from the share, but casperadmin cannot write to it. When mounting CasperShare from my Mac using the casperadmin and attempting to copy a file to it, I first get a Mac authentication window, then the error "Items can't be copied to "CasperShare" because you don't have permission to read them."

external image link

Thanks all for any help/suggestions. Much appreciated. :)

jamie_ivanov · ‎06-19-2012

Have you checked your samba logs for a specific error? Be sure to have "valid users" or "valid groups" along with your read/write list of users or groups.

Here is an example of a share in my current smb.conf which is a per-share authentication basis:

[Storage]
        read list = nobody,jamie,@samba_admin,@samba_readonly
        admin users = @samba_admin, jamie
        write list = jamie
        force directory mode = 0775
        force group = samba_admin
        create mask = 0775
        public = yes
        user = nobody,jamie,@samba_admin,@samba_readonly
        path = /storage1/files
        read list = nobody,jamie,@samba_admin,@samba_readonly
        admin users = @samba_admin, jamie
        write list = jamie
        force directory mode = 0775
        force group = samba_admin
        create mask = 0775
        public = yes
        user = nobody,jamie,@samba_admin,@samba_readonly
        path = /storage1/files
        force create mode = 0775
        force user = root
        comment = ...
        directory mask = 0775
        valid users = jamie,@samba_admin,@samba_readonly
        guest only = yes

Myself (jamie) as well as anyone in the "samba_admin" group can write to this share. Anybody authenticated as guest (nobody) or in the "samba_readonly" group will only have read only privileges. The permissions are setup as the owner is me (jamie), group is samba_admin, and permissions are 755 for both files and directories. The samba server itself is setup for share level authentication (for what its worth).

I hope this helps.

J.I.

chris_kemp · ‎06-20-2012

I set up a server here with Centos 6.2, and I actually found it much easier to get AFP up & running (never could get SMB to work right...).

Great information here:

http://www003.upp.so-net.ne.jp/hat/netatalk/rpm.html

And look here for configuration info:

http://netatalk.sourceforge.net/2.0/htmldocs/AppleVolumes.default.5.html

rockpapergoat · ‎06-20-2012

check out what jamie suggested. also, you might want to change the group from root to something else with write privs on the share.

i'm setting up something similar but will probably use netatalk. in the past, netatalk has been a little easier to configure, at least.

jamie_ivanov · ‎06-20-2012

I currently use Netatalk for my Mac's TimeMachine backup to my server, which is rather convenient. It was a little cumbersome to get working initially, but in time and tweaking the AppleVolume.defaults yielded a worthwhile endeavor.

My /usr/local/etc/netatalk.conf:

ATALK_UNIX_CHARSET='LOCALE'
ATALK_MAC_CHARSET='MAC_ROMAN'

export ATALK_UNIX_CHARSET
export ATALK_MAC_CHARSET

My /usr/local/etc/AppleVolumes.default:

:DEFAULT: options:upriv,usedots

/storage1/backup/jamie "Time Machine" options:tm,usedots,upriv,perm,cnidserver:localhost:4700 ea:auto allow:jamie rwlist:jamie

I don't find that Samba is too difficult to setup but that's an unfair opinion considering I have considerably more experience with it. I know that Samba has more options when it comes to authentication, security, permissions, and network tuning. That is especially so when it comes with integration with a Windows environment. You always have the option of Webmin, but that has been known to produce config files that may work but fails the Samba "sanity" check. Samba does have the "Swat" web interface as well, but that isn't as well organized as the Webmin interface. Both may be good places to start. I rather like the options that Samba has for security/permissions with SMB/CIFS shares though.

Unfortunately, NFS doesn't come bundled with a wealth of security options natively. There are a number of configurations options that can be done to allow specific hosts, and user/group permissions. http://tldp.org/HOWTO/NFS-HOWTO/security.html

If NFS is the route you want to go for Linux/UNIX compatibility, don't let your Windows clients hold you back. Install Windows Services for UNIX to get NFS support in Windows. http://www.microsoft.com/en-us/download/details.aspx?id=274

If security is a must, tunneling through SSH or VPN (I'm a fan of OpenVPN myself and use Tunnelbrick on my Mac; you can also setup SSH tunnels with authentication or keys). You can tunnel Samba, Netatalk, NFS, etc.

J.I.

dmcmillen · ‎06-22-2012

Well it turns out the problem was caused by SELinux. Disabling it fixed the problem... that's not ideal, but it'll work until I can figure out how to configure it properly.

Thanks for the tips... I may try configuring AFP as well.

Andrina · ‎06-22-2012

I found this very useful when doing the same thing - http://wiki.centos.org/HowTos/SetUpSamba

Jamf Nation Community

Need help setting up distribution point on CentOS 6.2