How do I use Samba to share folders on a Bright Head Node?

This article is being updated. Please be aware the content herein, not limited to version numbers and slight syntax changes, may not match the output from the most recent versions of Bright. This notation will be removed when the content has been updated

Basically:  /etc/samba/smb.conf needs to be modified to add the required share, and shorewall rules should be added to allow traffic through the firewall. This can be done with the following recipes for a public share and a private share:

1. Public Share

The following configurations will allow any user to access the shared folder without authentication.

a. Install Samba server on the head node.

# yum install samba

b. Modify smb.conf:

# cat /etc/samba/smb.conf
[global]
workgroup = BCM
security = share
log file = /var/log/samba/log.%m
max log size = 50
[samba]
path = /samba
browsable = yes
read only = no
public = yes
writable = yes
available = yes
guest ok = yes
guest account = nobody

Note: The name of the share “[samba]” can differ from the path of the share. For example, you can use “[localstore]” as the name of the share to point to “/local/storage/samba” path:

[localstore]
path = /local/storage/samba
browsable = yes
writable = yes

c. Restart Samba service.
# service smb restart

d. Modify shorewall rules to allow Samba traffic:

# cat /etc/shorewall/rules
[...]
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
SMB(ACCEPT)    net   fw

e. Restart shorewall service.

# service shorewall restart

This way users will be able to access the /samba share on the head node without authentication.

2. Private Share

The following configurations will allow only registered users to access the shared folder with their credentials.

Please note that in order for these instructions to work, you will need to enable access to the LDAP server on port 389, which is unencrypted. 

a. Enable Slapd access on TCP port 389

Edit /etc/sysconfig/slapd and modify the SLAPD_URLS line to :
        SLAPD_URLS="ldaps:/// ldapi:/// ldap:///"
        Restart the slapd service with "service slapd restart".

b. Modify smb.conf:

# cat /etc/samba/smb.conf
[global]
workgroup = CM
security = user
passdb backend = ldapsam:ldap://localhost/
ldap suffix = dc=cm,dc=cluster
ldap admin dn = cn=root,dc=cm,dc=cluster
ldap group suffix = ou=Groups
ldap passwd sync = yes
ldap ssl = off
log file = /var/log/samba/log.%m
max log size = 50
[samba]
path = /samba
browsable = yes
writable = yes

c. Modify slapd.conf by adding the following lines:

# cat /cm/local/apps/openldap/etc/slapd.conf
[...]
include /cm/local/apps/openldap/etc/schema/samba.schema
[...]
access to attrs=sambaNTPassword
by self write
by anonymous auth
by * none
[...]

The sambaNTpassword text in the preceding extract is entered literally. There is no substitution done.

d. Copy the samba schema to the expected location:

# cp /etc/openldap/schema/samba.schema /cm/local/apps/openldap/etc/schema/

e. Add the root DN password to Samba:

# smbpasswd -w <smb_password>

     The <smb_password>  text in the preceding extract is replaced by the password of the root DN of the LDAP server. The password can be found in cmd.conf by running:

# grep LDAPPass /cm/local/apps/cmd/etc/cmd.conf

f. Register existing LDAP users to Samba:
    example:

# smbpasswd -a cmsupport
New SMB password:
Retype new SMB password:
   Added user cmsupport.

    This needs to be done for all the users.

g. Restart LDAP server:

# service ldap restart

h. Restart Samba service.

# service smb restart

i. Modify shorewall rules to allow Samba traffic:

# cat /etc/shorewall/rules
[...]
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
SMB(ACCEPT)    net   fw
j. Restart shorewall service
# service shorewall restart
k. Verify you'll be able to access the samba share:
# smbclient //<hostname>/samba -U cmsupport
Enter cmsupport's password:
Domain=[CM] OS=[Unix] Server=[Samba 3.6.9-167.el6_5]
smb: \>

3. Private Share with Active Directory as a backend for users

a. Modify smb.conf:

[global]
workgroup = BCM
realm = BCM.LOCAL
security = ADS
password server = win2008.bcm.local
max disk size = 307200
load printers = No
printing = bsd
printcap name = /dev/null
#idmap config ACME: default = yes
#idmap config ACME: backend = rid
ldap suffix = dc=acme,dc=local
ldap admin dn = CN=Administrator,CN=Users,DC=bcm,DC=local
ldap passwd sync = yes
ldap ssl = off
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
#username level = 2
#username map = /root/smb.map
[projects]
path = /projects-data
browsable = yes
writable = yes
create mask = 0644
directory mask = 0755
[home]
path = /home-data
browsable = yes
writable = yes
create mask = 0644
directory mask = 0775

b. save the password in secrets.tdb (assuming you have already integrated with AD).

# smbpasswd -w Administrator

c. restart smb service and follow the steps outlined in no. 2 starting from point “h.”