In order to complement last post about the NFS remote file system, in this post we will cover SAMBA. The main focus of this series is to document the possibilities of NextCloudPi, but it aims to be a general introduction to the technology.
Like NFS, SAMBA provides a remote file system that allows us to mount locally folders that are in reality in another computer.
SAMBA is a free and open source implementation of the SMB/CIFS (Server Message Block/Common Internet File System) by MicroSoft that was started in 1992.
SMB/CIFS is the protocol used in Windows networks to share files and printers, so SAMBA allows us to host files and printers that can be accessed from a Windows computer, as well as it allows a Linux computer to access files and printers shared in a Windows system.
Actually, it is so popular that Mac computers can also access SMB/CIFS remote filesystems, which makes SAMBA a good choice for “mixed” networks where we want to serve files to Linux, Windows, Mac computers… and even some Android applications are able to mount SMB/CIFS folders over the network.
Features
This is a highlight of its features
- The SAMBA server is implemented in userspace.
- It is supported by multiple platforms
- Its traffic is not encrypted, although it is in the roadmap of features
- It provides authenticated access.
- It can also share printers, combined with the CUPS printing server.
While the beauty of NFS its it’s simplicity, low resources requirements and the fact that it is implemented in the kernel, SAMBA is way more flexible, featureful and more appropriate for many setups except the most simple ones.
We have more control over the setup, as we can define different permissions for different users and the access is authenticated via username/password. Public shares can also be defined.
While installing the nfs-kernel-server only takes up 300 KB of our space, the smbd server takes around 40 MB.
Installation
Just install the appropriate package for your distribution, normally just samba.
In the case of NextCloudPi, just update to the latest version with
|
1 |
sudo ncp-update |
As usual, the generic installer can be used on any Debian based running server to install and configure through SSH, or on a Raspbian image through QEMU.
|
1 2 |
git clone https://github.com/nextcloud/nextcloudpi.git ./installer.sh samba.sh 192.168.0.128 |
Default configuration (NextCloudPi only)
In the specific case of NextCloudPi, we usually want to share the data folder on the local network, so select samba in
|
1 |
sudo nextcloudpi-config |
DIR is the directory to share. The default will be /var/www/nextcloud/data/admin/files for user admin on a fresh installation. If you have moved the data folder to an external drive, then it might be more similar to the default /media/USBdrive/ncdata/admin/files. Note that this is the path for the files belonging to the user admin.
If you would like a different setup, read the next section.
Manual configuration
The main configuration file is located at /etc/samba/smb.conf. There are many resources online about the configuration of this file, but the comments inside it are pretty much self-explanatory.
A share is defined by a configuration block that can be as simple as this
|
1 2 3 4 5 |
[NextCloudPi] path = /media/USBdrive/mysharedfolder writeable = yes ; browseable = yes valid users = pi |
If you want to be able to modify and delete files and folders from both Nextcloud and SAMBA mounts, you can add the following to the share
|
1 2 3 4 5 |
force group = www-data create mask = 0770 directory mask = 0771 force create mode = 0660 force directory mode = 0770 |
Users are controlled by smbpasswd, and smb.conf can be configured to synchronize their credentials with the Linux user credentials.
In order to add the user pi, type
|
1 |
sudo smbpasswd -a pi |
Make sure that the shared folder can be accessed by allowed users through the regular system permissions system.
Usage
Once the share is in place, we can browse it from Windows, Mac, and such.
In order to browse shares in Linux, we make use of smbclient.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
$ smbclient -L 192.168.0.128 -U pi Enter pi's password: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.14-Debian] Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers NextCloudPi Disk IPC$ IPC IPC Service (Samba 4.2.14-Debian) Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.2.14-Debian] Server Comment --------- ------- RASPBERRYPI Samba 4.2.14-Debian Workgroup Master --------- ------- WORKGROUP |
We can see the NextCloudPi share defined earlier. We can use smbclient to login to a terminal interface that allows us to browse, push and pull files.
However, this is not very comfortable to use. It is better to mount the remote share.
|
1 |
$ sudo mount -t cifs //192.168.0.128/NextCloudPi /mnt -o username=pi,password=raspberry |
, or at boot from /etc/fstab
|
1 |
//192.168.0.128/NextCloudPi /mnt cifs username=pi,password=raspberry,rw,user 0 0 |
That is not ideal though, as the password will be shown in our history for the mount command, and fstab is visible to all users.
It is better to save our credentials in a read-only file and use the option credentials.
|
1 2 3 4 5 |
cat > ~/.smbfile <<EOF username=pi password=raspberry EOF chmod 600 ~/.smbfile |
|
1 |
//192.168.0.128/NextCloudPi /mnt cifs credentials=/home/pi/.smbfile,rw,user 0 0 |
The folder in the server at location /media/USBdrive/mysharedfolder will now be available in /mnt with those access permissions of user pi on that server.
Code
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
#!/bin/bash # SAMBA server for Raspbian # Tested with 2017-03-02-raspbian-jessie-lite.img # # Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com> # GPL licensed (see end of file) * Use at your own risk! # # Usage: # # ./installer.sh samba.sh <IP> (<img>) # # See installer.sh instructions for details # More at: https://ownyourbits.com # DIR_=/media/USBdrive/ncdata/admin/files USER_=pi PWD_=raspberry DESCRIPTION="SMB/CIFS file server (for Mac/Linux/Windows)" install() { apt-get update apt-get install --no-install-recommends -y samba update-rc.d smbd disable # the directory needs to be recreated if we are using nc-ramlogs grep -q mkdir /etc/init.d/smbd || sed -i "/\<start)/amkdir -p /var/log/samba" /etc/init.d/smbd } configure() { # INFO ################################ whiptail --msgbox \ --backtitle "NextCloudPi configuration" \ --title "Instructions for external synchronization" \ "If we intend to modify the data folder through SAMBA, then we have to synchronize NextCloud to make it aware of the changes. \n This can be done manually or automatically using 'nc-scan' and 'nc-scan-auto' from 'nextcloudpi-config'" \ 20 90 # CHECKS ################################ [ -d "$DIR_" ] || { echo -e "INFO: directory $DIR_ does not exist. Creating"; mkdir -p "$DIR_"; } [[ $( stat -fc%d / ) == $( stat -fc%d $DIR_ ) ]] && \ echo -e "INFO: mounting a in the SD card\nIf you want to use an external mount, make sure it is properly set up" # CONFIG ################################ sed -i '/\[NextCloudPi\]/,+5d' /etc/samba/smb.conf cat >> /etc/samba/smb.conf <<EOF [NextCloudPi] path = $DIR_ writeable = yes ; browseable = yes valid users = $USER_ EOF update-rc.d smbd defaults update-rc.d smbd enable service smbd start usermod -aG www-data $USER_ echo -e "$PWD_\n$PWD_" | smbpasswd -s -a $USER_ sudo chmod g+w $DIR_ } cleanup() { apt-get autoremove -y apt-get clean rm /var/lib/apt/lists/* -r rm -f /home/pi/.bash_history systemctl disable ssh } # License # # This script is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This script is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this script; if not, write to the # Free Software Foundation, Inc., 59 Temple Place, Suite 330, # Boston, MA 02111-1307 USA |
References
https://www.samba.org/samba/docs/using_samba/ch06.html
https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
That’s great, but I couldn’t understand well how I’d do a setup like what I’ll describe. Could you please help me?
– there’s only one user on the RPi, which is the default user Pi with changed password. I can add other users, if necessary;
– NextCloudPi users are: admin (just admin stuff, I’d delete it if I could, but no big deal); me (username ‘alc’, with admin privileges); my partner (username ‘lif’, belongs to group ‘users’, no admin privileges);
– user ‘lif’ should access her NextCloud data folder from her Macbook, and only her data folder, not ‘alc”s or ‘admin”s;
– user ‘alc’ should only access his NC data folder, and only this folder, not the other users’;
– users should be able to share files with each other through NC’s sharing feature, no need for sharing through samba, in principle.
So, is it attainable? Could you please help me?
On a side note, this NextCloudPi installation is just on the local network, no internet access – this is just for local wireless handling of files. Should I worry about SSL? Because I disabled ‘force HTTPS’.
Thank you and props for the great work!
I would create two samba users with
smbpasswd, then two shares, one for each user (valid usersline ) at their Nextcloud data locations (/media/USBdrive/ncdata/alc/files).Finally, grant system permissions over the data folder, but always keep Nextcloud (user
www-data) able to access. You can for example, change the group for the folder ( groupalc), and grant it read/write permissions.Regarding HTTPS… I think you can never be too paranoid, specially with private data. I would leave it on, because nowadays everything can access the internet. Say you have cheap chinese IoT toaster at home… it will be able to sniff your data and send it to the internet.
hey nacho,
do you know or/and would you be so kind an tell me on which protocol the installed samba bases? smb1, smb2 or smb3?
Samba version 4.2.14-Debian, supports all those
The protocol used depends on the client. It would probably be a good idea to disable SMB1
thanks for your answer.
>It would probably be a good idea to disable SMB1
that was the reason for asking. how do i do that? and/or couldn’t you do that on default? just for security reasons?
Hi nachoparker, do you have any updates on the encryption of samba.
I would like to use samba to share movies but I’m concerned about the security as I have it connected to the internet.
Any other ideas how I could stream movies from the pi to other devices in a secure way?
well, samba is LAN only, so in principle, nobody would be able to access from outside because your router is on the way.
if you want to stream movies, you can open movies from your browser with Nextcloud, or you could mount your video folder with SSHfs, or you could set up vlc as a server… first things that come to my head, but you can investigate, I might be missing something
I can’t get this to work as all folders and files created under NextCloudPi are created with permission that doesn’t allow Samba to delete or amend, specifically the w(rite) bit is not set for the group www-data. Creating files or folders under Samba works great and NextCloud is able to deal with them without issue.
Initally I ran;
sudo chgrp -R www-data
sudo chmod -R g+w
And;
sudo find -type d -exec chmod 2775 {} \;
sudo find -type f -exec chmod ug+rw {} \;
Which works great for all files and folders currently listed in NextCloud, but get NextCloud to create a new file or folder and it doesn’t create it with the w(rite) bit set for the group, seems the aforementioned commands would also need to be run everytime – seems very clumsy. What is the correct way to handle this?
you might need to add
force user = www-datatell us if it works for you
Yes, that fixed it – thanks!