Table of Contents

Configuring Samba for Segolip

Segolip's unit has many customers who use the HPC to analyze data from the labs. Segolip has several administrative users who are in charge of copying data to/from the HPC and into the proper customers' folders. These administrators have read/write access to the root of the Segolip data, under which they will move data to the appropriate places for their customers to access. Customers are not allowed to write in these folders, so they must use the data where it is, or copy it somewhere else in order to use it.

Customers have shell accounts and samba accounts.

Add Samba config changes

Instruct Samba to keep samba passwords in sync with Unix passwords. That is, when a Samba user changes their password, their corresponding Unix password changes too.

Add or uncomment the following lines in the [global] section of Samba's config:

unix password sync = Yes 
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

Add groups

Add the groups first so we can add users directly to their groups when we create user accounts. We create the group then create their storage folder with the proper permissions.

# groupadd icipe
# mkdir /export/home/segoli/ICIPE

It is important to change the permissions so that other users cannot access the folder (o-rwx) and setgid (g+s) so that if anyone creates a file/folder there it will remain with the permissions of the group. This reduces confusion for lazy/inexperienced admins.

# chown -R segoliadmin:icipe /export/home/segoli/ICIPE
# chmod o-rwx,g+s /export/home/segoli/ICIPE

Add users

To use Samba a user must also have a Unix account. Create the Unix account and add the user to any required groups before you attempt to create the Samba account.

Add the user:

# useradd mkyalo

In /etc/passwd, add the real name and group to the user's entry. See before and after:

mkyalo:x:755:755::/export/home/mkyalo:/bin/bash
-- after --
mkyalo:x:755:755:Martina Kyalo,IITA:/export/home/mkyalo:/bin/bash

Add the user to the appropriate groups. For example, the above user is a part of the iita group (and that group already exists):

# gpasswd -a mkyalo iita
Adding user mkyalo to group iita
# id mkyalo
uid=755(mkyalo) gid=755(mkyalo) groups=755(mkyalo),10003(iita)

Set the user's Unix and Samba passwords:

# passwd mkyalo
# smbpasswd -a mkyalo

Sync users and groups

It is very important to synchronize the user and group information from the head node to the compute nodes. Rocks has a command for this:

# rocks sync users

This will automatically:

Set ACLs

Set the extended ACL so that anyone in the segoliadmin group can enter and modify the directory:

# setfacl -m group:segoliadmin:rwx BECA/ BT0* ICIPE/ ICRAF/ ICIPE/ IITA/

Set the default ACL so that files/folders inside the folder inherit the same extended ACL as the parent (this is the -d):

# setfacl -d -m group:segoliadmin:rwx BECA/ BT0* ICIPE/ ICRAF/ ICIPE/ IITA/

View the result on one folder:

# getfacl ICRISAT/
# file: ICRISAT
# owner: segoliadmin
# group: icrisat
user::rwx
group::r-x
group:segoliadmin:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:segoliadmin:rwx
default:mask::rwx
default:other::---

In addition to the minimum ACL (the "minimum" ACL is the normal Unix permissions of user, group, other), the extended ACLs include:

Understanding ACLs

Add Samba shares

Add the following share definitions to /etc/samba/smb.conf. One for Segolip and another one for each of their groups:

[segolip]
    comment = Segolip group data
    path = /export/home/segoli
    read-only = no
    valid users = @segoliadmin
    force user = segoliadmin

[icipe]
    comment = Segolip/ICIPE data
    path = /export/home/segoli/ICIPE
    read only = yes 
    valid users = @icipe

The forceuser directive tells Samba to treat anyone using that share as the 'segoliadmin' Unix user in the file system.

Configure SWAT

The Samba Web Administration Tool allows you to modify Samba settings from a web interface, including changing user passwords. We need to install and configure SWAT to allow users to log in and change their passwords.

Install SWAT using yum:

# yum install samba-swat

SWAT does not run as a daemon, instead it uses xinetd to launch it. xinetd listens on swat's behalf and launches swat when someone connects to it. Configure swat's xinetd configuration by modifying the default to look like this:

/etc/xinetd.d/swat:

# default: off
# description: SWAT is the Samba Web Admin Tool. Use swat \
#              to configure your Samba server. To use SWAT, \
#              connect to port 901 with your favorite web browser.
service swat
{
        port            = 901
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/swat
        server_args = -P
        log_on_failure  += USERID
        disable         = no
}

Make sure you change the "server_args" and the "disable" lines! The "-P" makes it so non-root users can only see the password change page when they log into SWAT. Then restart xinetd:

# /etc/init.d/xinetd restart

SWAT can be accessed here: http://hpc.ilri.cgiar.org:901

Change the user's passwords by logging into Swat as root.

Standard Operating Procedure

In order to access Segolip storage on the HPC a user first needs an account on the HPC (user/password created by the system administrator). After that the procedure is as follows:

In Windows:

  1. Click Start → Run and type: \\hpc.ilri.cgiar.org\groupname (where "groupname" is the group you've been given access to, such as iita, cimmyt, etc.
  2. A message will appear asking for a username and password; enter the details you were given and press enter.
  3. If your account information is correct you will see a folder appear with your files inside.
  4. Your connection will remain active until the computer is shut down, restarted, or logged off.

On a Macintosh

  1. Click Go → Connect to Server and type: smb://hpc.ilri.cgiar.org/groupname (where "groupname" is the group you've been given access to, such as iita, cimmyt, etc.
  2. A message will appear asking for a username and password; enter the details you were given and make sure Domain is ILRI, then press enter.
  3. If your account information is correct you will see a folder appear with your files inside.
  4. Your connection will remain active until the computer is shut down, restarted, or logged off.