This article is being updated. Please be aware the content herein, not limited to version numbers and slight syntax changes, may not match the output from the most recent versions of Bright. This notation will be removed when the content has been updated
Basically: /etc/samba/smb.conf needs to be modified to add the required share, and shorewall rules should be added to allow traffic through the firewall. This can be done with the following recipes for a public share and a private share:
1. Public Share
The following configurations will allow any user to access the shared folder without authentication.
a. Install Samba server on the head node.
# yum install samba
b. Modify smb.conf:
# cat /etc/samba/smb.conf[global]workgroup = BCMsecurity = sharelog file = /var/log/samba/log.%mmax log size = 50[samba]path = /sambabrowsable = yesread only = nopublic = yeswritable = yesavailable = yesguest ok = yesguest account = nobody
Note: The name of the share “[samba]” can differ from the path of the share. For example, you can use “[localstore]” as the name of the share to point to “/local/storage/samba” path:
[localstore]path = /local/storage/sambabrowsable = yeswritable = yes
c. Restart Samba service.# service smb restart
d. Modify shorewall rules to allow Samba traffic:
# cat /etc/shorewall/rules[...]#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVESMB(ACCEPT) net fw
e. Restart shorewall service.
# service shorewall restart
This way users will be able to access the /samba share on the head node without authentication.
2. Private Share
The following configurations will allow only registered users to access the shared folder with their credentials.
Please note that in order for these instructions to work, you will need to enable access to the LDAP server on port 389, which is unencrypted.
a. Enable Slapd access on TCP port 389
Edit /etc/sysconfig/slapd and modify the SLAPD_URLS line to :
SLAPD_URLS="ldaps:/// ldapi:/// ldap:///"
Restart the slapd service with "service slapd restart".b. Modify smb.conf:
# cat /etc/samba/smb.conf[global]workgroup = CMsecurity = userpassdb backend = ldapsam:ldap://localhost/ldap suffix = dc=cm,dc=clusterldap admin dn = cn=root,dc=cm,dc=clusterldap group suffix = ou=Groupsldap passwd sync = yesldap ssl = offlog file = /var/log/samba/log.%mmax log size = 50[samba]path = /sambabrowsable = yeswritable = yes
c. Modify slapd.conf by adding the following lines:
# cat /cm/local/apps/openldap/etc/slapd.conf[...]include /cm/local/apps/openldap/etc/schema/samba.schema[...]access to attrs=sambaNTPasswordby self writeby anonymous authby * none[...]
The sambaNTpassword text in the preceding extract is entered literally. There is no substitution done.
d. Copy the samba schema to the expected location:
# cp /etc/openldap/schema/samba.schema /cm/local/apps/openldap/etc/schema/
e. Add the root DN password to Samba:# smbpasswd -w <smb_password>
The <smb_password> text in the preceding extract is replaced by the password of the root DN of the LDAP server. The password can be found in cmd.conf by running:# grep LDAPPass /cm/local/apps/cmd/etc/cmd.conf
f. Register existing LDAP users to Samba:
example:# smbpasswd -a cmsupport
New SMB password:
Retype new SMB password:
Added user cmsupport.
This needs to be done for all the users.
g. Restart LDAP server:
# service ldap restart
h. Restart Samba service.
# service smb restart
i. Modify shorewall rules to allow Samba traffic:
# cat /etc/shorewall/rules[...]#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVESMB(ACCEPT) net fwj. Restart shorewall service# service shorewall restartk. Verify you'll be able to access the samba share:# smbclient //<hostname>/samba -U cmsupportEnter cmsupport's password:Domain=[CM] OS=[Unix] Server=[Samba 3.6.9-167.el6_5]smb: \>
3. Private Share with Active Directory as a backend for users
a. Modify smb.conf:
[global]workgroup = BCMrealm = BCM.LOCALsecurity = ADSpassword server = win2008.bcm.localmax disk size = 307200load printers = Noprinting = bsdprintcap name = /dev/null#idmap config ACME: default = yes#idmap config ACME: backend = ridldap suffix = dc=acme,dc=localldap admin dn = CN=Administrator,CN=Users,DC=bcm,DC=localldap passwd sync = yesldap ssl = offlog level = 3log file = /var/log/samba/log.%mmax log size = 50#username level = 2#username map = /root/smb.map[projects]path = /projects-databrowsable = yeswritable = yescreate mask = 0644directory mask = 0755[home]path = /home-databrowsable = yeswritable = yescreate mask = 0644directory mask = 0775
b. save the password in secrets.tdb (assuming you have already integrated with AD).
# smbpasswd -w Administrator
c. restart smb service and follow the steps outlined in no. 2 starting from point “h.”