Samba
Une configuration minimale
[global]
workgroup = ANGRES
passdb backend = tdbsam
[homes]
comment = Répertoire personnel de %u
read only = no
[monpartage]
comment = Description longue de mon partage
read only = no
path = /srv/samba/monpartage
Noter qu'un partage partage est read only par défaut, d'où la nécessité de le désactiver.
Le passbd backend implicite est smbpasswd qui ne permet pas de stocker tous les champs utilisateurs (durée de validité, etc.), on utilise donc tdbsam d'office pour ne pas avoir de surprises par la suite.
Créer un dossier partagé
cd /srv/samba/groups mkdir nom_du_partage chmod o= nom_du_partage chmod g=rwxs nom_du_partage chgrp nom_du_partage nom_du_partage
Puis modifier le fichier de configuration de Samba
/etc/samba/smb.conf:
[nom_du_partage] comment = Répertoire pour ... force group = nom_du_partage path = /srv/samba/groups/nom_du_partage valid users = @nom_du_partage read only = no create mask = 0660 directory mask = 0770
On teste la configuration avec:
testparm
On relance le serveur de fichiers:
/etc/init.d/samba restart
Noter l'astuce pour forcer le bon groupe dans les répertoires partagés:
[qualite] ... force group = +qualite ... [prod] ... force group = +prod
Conserver la compatibilité avec MS Woe9X et WoeMe
La nouvelle version dans Debian Lenny (3.2.5) désactive implicitement les vieux clients, ce qui a également pour conséquence d'EFFACER tous les mots de passe dans l'ancien format. Il faut donc - AVANT de mettre à jour - rajouter ceci dans la configuration:
lanman auth = yes client plaintext auth = yes client lanman auth = yes
Pour plus d'information, cf. /usr/share/doc/samba/NEWS.Debian.gz:
samba (3.0.27a-2) unstable; urgency=low
* Weak authentication methods are disabled by default
Beginning with this version, plaintext authentication is disabled for
clients and lanman authentication is disabled for both clients and
servers. Lanman authentication is not needed for Windows
NT/2000/XP/Vista, Mac OS X or Samba, but if you still have Windows
95/98/ME clients (or servers) you may need to set lanman auth (or client
lanman auth) to yes in your smb.conf.
The "lanman auth = no" setting will also cause lanman password hashes to
be deleted from smbpasswd and prevent new ones from being written, so
that these can't be subjected to brute-force password attacks. This
means that re-enabling lanman auth after it has been disabled is more
difficult; it is therefore advisable that you re-enable the option as
soon as possible if you think you will need to support Win9x clients.
Client support for plaintext passwords is not needed for recent Windows
servers, and in fact this behavior change makes the Samba client behave
in a manner consistent with all Windows clients later than Windows 98.
However, if you need to connect to a Samba server that does not have
encrypted password support enabled, or to another server that does not
support NTLM authentication, you will need to set
"client plaintext auth = yes" and "client lanman auth = yes" in smb.conf.
-- Steve Langasek <vorlon@debian.org> Sat, 24 Nov 2007 00:23:37 -0800
Voir aussi
Liens
- Gestion des utilisateurs, groupes, permissions: concepts d'utilisateurs et de groupes sous Unix et Windows, et correspondances.